testing: Reorganizing IKEv1 and IKEv2 examples

author Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 4 Apr 2021 08:45:46 +0000 (10:45 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Fri, 21 May 2021 07:42:50 +0000 (09:42 +0200)
author Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 4 Apr 2021 08:45:46 +0000 (10:45 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Fri, 21 May 2021 07:42:50 +0000 (09:42 +0200)
diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot

index 6336b8a0fdf1ac1a478aed7ddbe5363282c981f6..8e096b0bbbad9e4e296d4febff774abe9cecfc94 100755 (executable)
--- a/testing/scripts/build-certs-chroot
+++ b/testing/scripts/build-certs-chroot
@@ -147,10 +147,10 @@ pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
  
  # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
  TEST="${TEST_DIR}/ikev2/crl-ldap"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
-cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
-cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl
+cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl/stale.crl
+cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl/stale.crl
  
  # Generate host keys
  for h in ${HOSTS}
@@ -187,21 +187,21 @@ cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
  # Convert moon private key into unencrypted PKCS#8 format
  TEST="${TEST_DIR}/ikev2/rw-pkcs8"
  HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
  openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
  
  # Convert carol private key into v1.5 DES encrypted PKCS#8 format
  HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
  openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
                -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
  
  # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
  HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
  openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
                -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
  
@@ -209,8 +209,8 @@ openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
  # Public Key Extraction                                                        #
  ################################################################################
  
-# Extract the raw moon public key for the swanctl/net2net-pubkey scenario
-TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+# Extract the raw moon public key for the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
  TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
  HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
@@ -219,27 +219,17 @@ pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
  cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
  
  # Put a copy into the  following ikev2 scenarios
-for t in net2net-dnssec net2net-pubkey rw-dnssec
+for t in net2net-dnssec rw-dnssec
  do
    TEST="${TEST_DIR}/ikev2/${t}"
-  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-  cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  done
  
-# Put a copy into the ikev2/net2net-pubkey scenario
-TEST="${TEST_DIR}/ikev2/net2net-pubkey"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-
-# Put a copy into the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the following swanctl scenarios
+# Put a copy into the following ikev2 scenarios
  for t in rw-pubkey-anon rw-pubkey-keyid
  do
-  TEST="${TEST_DIR}/swanctl/${t}"
+  TEST="${TEST_DIR}/ikev2/${t}"
    for h in moon carol dave
    do
      mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
@@ -247,8 +237,8 @@ do
    done
  done
  
-# Extract the raw sun public key for the swanctl/net2net-pubkey scenario
-TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+# Extract the raw sun public key for the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
  TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
  HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
  pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
@@ -256,49 +246,44 @@ cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
  # Put a copy into the ikev2/net2net-dnssec scenario
  TEST="${TEST_DIR}/ikev2/net2net-dnssec"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-
-# Put a copy into the ikev2/net2net-pubkey scenario
-TEST="${TEST_DIR}/ikev2/net2net-pubkey"
-cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
  
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+# Put a copy into the ikev2/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
-# Extract the raw carol public key for the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
+# Extract the raw carol public key for the ikev2/rw-dnssec scenario
+TEST="${TEST_DIR}/ikev2/rw-dnssec"
  TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
  HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
  pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
  
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+# Put a copy into the ikev2/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
  cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
-# Put a copy into the swanctl/rw-pubkey-keyid scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+# Put a copy into the ikev2/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
  cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
-# Extract the raw dave public key for the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
+# Extract the raw dave public key for the ikev2/rw-dnssec scenario
+TEST="${TEST_DIR}/ikev2/rw-dnssec"
  TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
  HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
  pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
  
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+# Put a copy into the ikev2/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
  cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
-# Put a copy into the swanctl/rw-pubkey-keyid scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+# Put a copy into the ikev2/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
  cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
  cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
  
@@ -341,12 +326,22 @@ issue_cert 05 alice alice@strongswan.org Sales
  issue_cert 06 venus venus.strongswan.org
  issue_cert 07 bob bob@strongswan.org Research
  
+# Copy carol's credentials into the dave directory of the following scenarios
+for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+  cp ${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+  cp ${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+done
+
  # Create PKCS#12 file for moon
  TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
  HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
  HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+MOON_PKCS12="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12/moonCert.p12"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
  openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
          -certfile ${CA_CERT} -caname "strongSwan Root CA" \
          -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
@@ -354,8 +349,8 @@ openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
  # Create PKCS#12 file for sun
  HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
  HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
-SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
+SUN_PKCS12="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12/sunCert.p12"
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
  openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
          -certfile ${CA_CERT} -caname "strongSwan Root CA" \
          -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
@@ -393,8 +388,8 @@ do
    echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
  done
  
-# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
-TEST="${TEST_DIR}/swanctl/crl-to-cache"
+# Generate a carol certificate for the ikev2/crl-to-cache scenario with base CDP
+TEST="${TEST_DIR}/ikev2/crl-to-cache"
  TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
  CN="carol@strongswan.org"
@@ -404,7 +399,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rs
      --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
      --outform pem > ${TEST_CERT}
  
-# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
+# Generate a moon certificate for the ikev2/crl-to-cache scenario with base CDP
  TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
  HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
  CN="moon.strongswan.org"
@@ -420,29 +415,19 @@ KEY_PWD="nH5ZQEWtku0RJEZ6"
  openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
          2> /dev/null
  
-# Put a copy into the ikev2/dynamic-initiator scenario
-for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-  cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
-done
-
-# Put a copy into the swanctl/rw-cert scenario
-TEST="${TEST_DIR}/swanctl/rw-cert"
+# Put a copy into the ikev2/rw-cert scenario
+TEST="${TEST_DIR}/ikev2/rw-cert"
  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
  cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
  
  # Generate another carol certificate and revoke it
  TEST="${TEST_DIR}/ikev2/crl-revoked"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
  SERIAL="08"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -455,18 +440,18 @@ cp ${CA_CRL} ${CA_LAST_CRL}
  
  # Put a copy into the ikev2/ocsp-revoked scenario
  TEST="${TEST_DIR}/ikev2/ocsp-revoked"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  
  # Generate another carol certificate with serialNumber=002
  TEST="${TEST_DIR}/ikev2/two-certs"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-002.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-002.pem"
  SERIAL="09"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -479,10 +464,10 @@ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  ################################################################################
  
  # Generate a Research CA certificate signed by the Root CA and revoke it
-TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
+TEST="${TEST_DIR}/ikev2-multi-ca/revoked"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
  SERIAL="0A"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
@@ -502,33 +487,20 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
  cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Put a certificate copy into the following scenarios
-for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
-         ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
-         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
+for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \
+         ikev2-multi-ca/pathlen ikev2-multi-ca/ocsp-signers \
+         ikev2-multi-ca/ocsp-strict-ifuri
  do
    TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-  cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-done
-
-for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-  cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
    mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
    cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  done
  
-for t in rw-hash-and-url-multi-level
+for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \
+         ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
+         ikev2-multi-ca/rw-hash-and-url
  do
-  TEST="${TEST_DIR}/swanctl/${t}"
+  TEST="${TEST_DIR}/${t}"
    mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
    cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
  done
@@ -537,9 +509,9 @@ done
  openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
  
  # Generate Research CA with the same private key as above but invalid CDP
-TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+TEST="${TEST_DIR}/ikev2-multi-ca/skipped"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
      --crl "http://crl.strongswan.org/not-available.crl" \
      --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
@@ -560,31 +532,18 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
  cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Put a certificate copy into the following scenarios
-for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
-         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
-         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
+for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \
+         ikev2-multi-ca/ocsp-signers ikev2-multi-ca/ocsp-strict-ifuri
  do
    TEST="${TEST_DIR}/${t}"
-  cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-done
-
-for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
-  cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
    cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  done
  
-for t in rw-hash-and-url-multi-level
+for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \
+         ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
+         ikev2-multi-ca/rw-hash-and-url
  do
-  TEST="${TEST_DIR}/swanctl/${t}"
+  TEST="${TEST_DIR}/${t}"
    mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
    cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
  done
@@ -619,7 +578,7 @@ pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L
      --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
      --outform pem > ${LEVELS_L3_CERT}
  
-for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
+for t in ikev2-multi-ca/crls-l3 tkm/multi-level-ca
  do
    TEST="${TEST_DIR}/${t}"
    for h in moon carol
@@ -640,13 +599,13 @@ openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/
  
  # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
  TEST="${TEST_DIR}/ikev2/strong-keys-certs"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey-aes128.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert-sha224.pem"
  KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
  CN="moon.strongswan.org"
  SERIAL="0D"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -657,13 +616,13 @@ openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-aes192.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-sha384.pem"
  KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
  CN="carol@strongswan.org"
  SERIAL="0E"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -674,13 +633,13 @@ openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey-aes256.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert-sha512.pem"
  KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
  CN="dave@strongswan.org"
  SERIAL="0F"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -692,12 +651,12 @@ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Generate another carol certificate with an OCSP URI
  TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
  SERIAL="10"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -705,20 +664,15 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
-# Put a copy into the ikev2/ocsp-timeouts-good scenario
-TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-
-# Put a copy into the swanctl/ocsp-signer-cert scenario
-for t in ocsp-signer-cert ocsp-disabled
+# Put a copy into the following ikev2 scenarios
+for t in ocsp-timeouts-good ocsp-disabled ocsp-no-signer-cert ocsp-root-cert \
+         ocsp-untrusted-cert
  do
-  cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
-  mkdir -p rsa x509
-  cp ${TEST_KEY} rsa
-  cp ${TEST_CERT} x509
+  TEST="${TEST_DIR}/ikev2/${t}"
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+  cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  done
  
  # Generate an OCSP Signing certificate for the strongSwan Root CA
@@ -746,10 +700,10 @@ pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
  
  # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
  TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp
  
  # Generate mars virtual server certificate
  TEST="${TEST_DIR}/ha/both-active"
@@ -774,7 +728,7 @@ cp ${TEST_KEY}  ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa
  cp ${TEST_CERT} ${TEST}/hosts/alice/${SWANCTL_DIR}/x509
  
  # Put a copy into the ha/active-passive and swanctl/redirect-active scenarios
-for t in "ha/active-passive" "swanctl/redirect-active"
+for t in ha/active-passive ikev2/redirect-active
  do
    TEST="${TEST_DIR}/${t}"
    for h in alice moon
@@ -788,12 +742,12 @@ done
  
  # Generate moon certificate with an unsupported critical X.509 extension
  TEST="${TEST_DIR}/ikev2/critical-extension"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
  CN="moon.strongswan.org"
  SERIAL="13"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -811,12 +765,12 @@ cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  
  # Generate sun certificate with an unsupported critical X.509 extension
  TEST="${TEST_DIR}/ikev2/critical-extension"
-TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
-TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
+TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
  CN="sun.strongswan.org"
  SERIAL="14"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -877,13 +831,13 @@ cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
  
  # Generate Attribute Authority certificate
  TEST="${TEST_DIR}/ikev2/acert-cached"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert.pem"
  CN="strongSwan Attribute Authority"
  SERIAL="17"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
@@ -892,59 +846,59 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Generate carol's attribute certificate for sales and finance
-ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
+ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/carol-sales-finance.pem"
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/01.pem --group sales --group finance \
      --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
  
  # Generate dave's expired attribute certificate for sales
-ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
+ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-sales-expired.pem"
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/02.pem --group sales \
      --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
  
  # Generate dave's attribute certificate for marketing
-ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
+ACERT_DM="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-marketing.pem"
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/02.pem --group marketing \
      --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
  
  # Put a copy into the ikev2/acert-fallback scenario
  TEST="${TEST_DIR}/ikev2/acert-fallback"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
-cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
  
  # Generate carol's expired attribute certificate for finance
-ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
+ACERT=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-finance-expired.pem
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/01.pem --group finance \
      --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
  
  # Generate carol's valid attribute certificate for sales
-ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
+ACERT_CS=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-sales.pem
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/01.pem --group sales \
      --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
  
  # Put a copy into the ikev2/acert-inline scenario
  TEST="${TEST_DIR}/ikev2/acert-inline"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
-cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
-cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
+cp ${ACERT_CS}  ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
+cp ${ACERT_DM}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
  
  # Generate a short-lived Attribute Authority certificate
  CN="strongSwan Legacy AA"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey-expired.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert-expired.pem"
  SERIAL="18"
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
@@ -954,8 +908,8 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
  
  # Generate dave's attribute certificate for sales from expired AA
-ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+ACERT=${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac/dave-expired-aa.pem
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
  pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
      --in ${CA_DIR}/certs/02.pem --group sales \
      --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
@@ -976,13 +930,13 @@ sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
  ################################################################################
  
  # Generate a carol research certificate
-TEST="${TEST_DIR}/ikev2/multi-level-ca"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+TEST="${TEST_DIR}/ikev2-multi-ca/crls"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -995,23 +949,14 @@ openssl rsa -in ${TEST_KEY} -outform der \
              -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
  
  # Put a copy in the following scenarios
-for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
-         ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
-         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
-         ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
-         ikev1/multi-level-ca-cr-resp
+for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
+         ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \
+         ikev2-multi-ca/loop ikev2-multi-ca/revoked \
+         ikev2-multi-ca/skipped ikev2-multi-ca/rw-hash-and-url \
+         ikev1-multi-ca/crls ikev1-multi-ca/certreq-init \
+         ikev1-multi-ca/certreq-resp
  do
    TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-  cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
-  cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-done
-
-for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
    mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
    mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
    cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
@@ -1019,15 +964,15 @@ do
  done
  
  # Generate a carol research certificate without a CDP
-TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
  pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
      --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
      --outform pem > ${TEST_CERT}
-cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
  
  # Generate an OCSP Signing certificate for the Research CA
  TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
@@ -1043,10 +988,10 @@ pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
  cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
  
  # Generate a Sales CA certificate signed by the Research CA
-TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
+TEST="${TEST_DIR}/ikev2-multi-ca/loop"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/sales_by_researchCert.pem"
  SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
      --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
      --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
@@ -1066,17 +1011,17 @@ pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
      --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
  cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
  
-# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
-TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
-cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+# Put a certificate copy in the ikev2-multi-ca/pathlen scenario
+TEST="${TEST_DIR}/ikev2-multi-ca/pathlen"
+cp ${DUCK_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  
  # Generate a carol certificate signed by the Duck Research CA
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1093,13 +1038,13 @@ sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
  ################################################################################
  
  # Generate a dave sales certificate
-TEST="${TEST_DIR}/ikev2/multi-level-ca"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
+TEST="${TEST_DIR}/ikev2-multi-ca/crls"
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
  CN="dave@strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1112,21 +1057,12 @@ openssl rsa -in ${TEST_KEY} -outform der \
              -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
  
  # Put a copy in the following scenarios
-for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
-         ikev2/ocsp-multi-level ikev1/multi-level-ca \
-         ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
+for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
+         ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \
+         ikev2-multi-ca/rw-hash-and-url ikev1-multi-ca/crls \
+         ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp
  do
    TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-  cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-done
-
-for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
    mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
    mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
    cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
@@ -1134,15 +1070,15 @@ do
  done
  
  # Generate a dave sales certificate with an inactive OCSP URI and no CDP
-TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
  pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
      --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
      --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
-cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
  
  # Generate an OCSP Signing certificate for the Sales CA
  TEST_KEY="${SALES_DIR}/ocspKey.pem"
@@ -1158,10 +1094,10 @@ pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
  cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
  
  # Generate a Research CA certificate signed by the Sales CA
-TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
+TEST="${TEST_DIR}/ikev2-multi-ca/loop"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/research_by_salesCert.pem"
  SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
      --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
      --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
@@ -1177,7 +1113,7 @@ sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
  ################################################################################
  
  # Generate a carol l3 certificate
-TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
+TEST="${TEST_DIR}/ikev2-multi-ca/crls-l3"
  TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
  TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
@@ -1326,10 +1262,10 @@ pki --self --type rsa --in ${RFC3779_KEY} \
  
  # Put a copy in the ikev2/net2net-rfc3779 scenario
  TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
-cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
  
  # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
  TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
@@ -1340,12 +1276,12 @@ cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
  
  # Generate a moon RFC3779 certificate
  TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
  CN="moon.strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1367,12 +1303,12 @@ done
  
  # Generate a sun RFC3779 certificate
  TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
-TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
+TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
  CN="sun.strongswan.org"
  SERIAL="02"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1440,8 +1376,8 @@ pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
      --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
      --outform pem > ${SHA3_RSA_CERT}
  
-# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
-TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
+# Put a copy in the ikev2/net2net-sha3-rsa-cert scenario
+TEST="${TEST_DIR}/ikev2/net2net-sha3-rsa-cert"
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
  cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
@@ -1490,8 +1426,8 @@ cp ${SUN_KEY}       rsa
  cp ${SUN_CERT}      x509
  cp ${SHA3_RSA_CERT} x509ca
  
-# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
-TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
+# Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario
+TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa"
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
@@ -1546,8 +1482,8 @@ pki --self --type ed25519 --in ${ED25519_KEY} \
      --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
      --outform pem > ${ED25519_CERT}
  
-# Put a copy in the swanctl/net2net-ed25519 scenario
-TEST="${TEST_DIR}/swanctl/net2net-ed25519"
+# Put a copy in the ikev2/net2net-ed25519 scenario
+TEST="${TEST_DIR}/ikev2/net2net-ed25519"
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
  mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
  cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
@@ -1596,23 +1532,8 @@ cp ${SUN_KEY}      pkcs8
  cp ${SUN_CERT}     x509
  cp ${ED25519_CERT} x509ca
  
-# Put a copy in the ikev2/net2net-ed25519 scenario
-TEST="${TEST_DIR}/ikev2/net2net-ed25519"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
-cd ${TEST}/hosts/moon/${IPSEC_DIR}
-mkdir -p cacerts certs private
-cp ${MOON_KEY}     private
-cp ${MOON_CERT}    certs
-cp ${ED25519_CERT} cacerts
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
-cd ${TEST}/hosts/sun/${IPSEC_DIR}
-mkdir -p cacerts certs private
-cp ${SUN_KEY}      private
-cp ${SUN_CERT}     certs
-cp ${ED25519_CERT} cacerts
-
-# Put a copy in the swanctl/rw-ed25519-certpol scenario
-TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
+# Put a copy in the ikev2/rw-ed25519-certpol scenario
+TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol"
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
@@ -1667,18 +1588,18 @@ pki --self --type rsa --in ${MONSTER_KEY} \
  
  # Put a copy in the ikev2/after-2038-certs scenario
  TEST="${TEST_DIR}/ikev2/after-2038-certs"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${MONSTER_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${MONSTER_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
  
  # Generate a moon Monster certificate
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
  CN="moon.strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
      --in ${TEST_KEY} --san ${CN} \
@@ -1688,12 +1609,12 @@ pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
  cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
  
  # Generate a carol Monster certificate
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
  CN="carol@strongswan.org"
  SERIAL="02"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
  pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
      --in ${TEST_KEY} --san ${CN} \
@@ -1717,13 +1638,6 @@ for t in rw-newhope-bliss rw-ntru-bliss
  do
    TEST="${TEST_DIR}/ikev2/${t}"
    for h in moon carol dave
-  do
-    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
-    cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
-  done
-
-  TEST="${TEST_DIR}/swanctl/${t}"
-  for h in moon carol dave
    do
      mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
      cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
@@ -1732,12 +1646,12 @@ done
  
  # Generate a carol BLISS certificate with 128 bit security strength
  TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/carolKey.der"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.der"
  CN="carol@strongswan.org"
  SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  pki --gen --type bliss --size 1 > ${TEST_KEY}
  pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1747,29 +1661,19 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
  
  # Put a copy in the ikev2/rw-ntru-bliss scenario
  TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-
-# Put a copy in the swanctl scenarios
-for t in rw-newhope-bliss rw-ntru-bliss
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
-  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-  cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
-  cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-done
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
  
  # Generate a dave BLISS certificate with 160 bit security strength
  TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/daveKey.der"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.der"
  CN="dave@strongswan.org"
  SERIAL="02"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
  pki --gen --type bliss --size 3 > ${TEST_KEY}
  pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1779,29 +1683,19 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
  
  # Put a copy in the ikev2/rw-ntru-bliss scenario
  TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
-cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
-
-# Put a copy in the swanctl scenarios
-for t in rw-newhope-bliss rw-ntru-bliss
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
-  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-  cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
-  cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
-done
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
+cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
  
  # Generate a moon BLISS certificate with 192 bit security strength
  TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/moonKey.der"
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.der"
  CN="moon.strongswan.org"
  SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  pki --gen --type bliss --size 4 > ${TEST_KEY}
  pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
@@ -1811,20 +1705,10 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
  
  # Put a copy in the ikev2/rw-ntru-bliss scenario
  TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
-
-# Put a copy in the swanctl scenarios
-for t in rw-newhope-bliss rw-ntru-bliss
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
-  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-  cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
-  cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
-done
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
  
  ################################################################################
  # SQL Data                                                                     #
@@ -2007,7 +1891,7 @@ SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
  #
  for h in moon sun
  do
-  TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
+  TEST_DATA="${TEST_DIR}/ikev2-stroke/net2net-rsa/hosts/${h}/etc/ipsec.conf"
    sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
        -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
        ${TEST_DATA}.in > ${TEST_DATA}
diff --git a/testing/tests/swanctl/frags-ipv4/description.txt b/testing/tests/ike/frags-ipv4/description.txt

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/description.txt

rename to testing/tests/ike/frags-ipv4/description.txt
diff --git a/testing/tests/swanctl/frags-ipv4/evaltest.dat b/testing/tests/ike/frags-ipv4/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/evaltest.dat

rename to testing/tests/ike/frags-ipv4/evaltest.dat
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv4/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv4/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv4/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv4/posttest.dat b/testing/tests/ike/frags-ipv4/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/posttest.dat

rename to testing/tests/ike/frags-ipv4/posttest.dat
diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/ike/frags-ipv4/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/pretest.dat

rename to testing/tests/ike/frags-ipv4/pretest.dat
diff --git a/testing/tests/swanctl/config-payload/test.conf b/testing/tests/ike/frags-ipv4/test.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/test.conf

rename to testing/tests/ike/frags-ipv4/test.conf
diff --git a/testing/tests/swanctl/frags-ipv6/description.txt b/testing/tests/ike/frags-ipv6/description.txt

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/description.txt

rename to testing/tests/ike/frags-ipv6/description.txt
diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/ike/frags-ipv6/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/evaltest.dat

rename to testing/tests/ike/frags-ipv6/evaltest.dat
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv6/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv6/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf

rename to testing/tests/ike/frags-ipv6/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ike/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/frags-ipv6/posttest.dat b/testing/tests/ike/frags-ipv6/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/posttest.dat

rename to testing/tests/ike/frags-ipv6/posttest.dat
diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/ike/frags-ipv6/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/pretest.dat

rename to testing/tests/ike/frags-ipv6/pretest.dat
diff --git a/testing/tests/swanctl/frags-ipv6/test.conf b/testing/tests/ike/frags-ipv6/test.conf

similarity index 100%

rename from testing/tests/swanctl/frags-ipv6/test.conf

rename to testing/tests/ike/frags-ipv6/test.conf
diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev1-algs/alg-3des-md5/description.txt

similarity index 67%

rename from testing/tests/ikev2/esp-alg-null/description.txt

rename to testing/tests/ikev1-algs/alg-3des-md5/description.txt

index 7fe79b6ea8d6330be9900a184dc6a032241d1328..5f6a8660fb9db021c92ad5a5118985fde82adead 100644 (file)
--- a/testing/tests/ikev2/esp-alg-null/description.txt
+++ b/testing/tests/ikev1-algs/alg-3des-md5/description.txt
@@ -1,3 +1,4 @@
  Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>NULL / HMAC_SHA256_128</b> by defining <b>esp=null-sha256</b> in ipsec.conf.
+<b>3des-md5-modp1024</b>. The same cipher suite is used for IKE, too.
+<p/>
  A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat b/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat

new file mode 100644 (file)

index 0000000..8fb1e0b
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..08e2a06
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =3des-md5-modp1024
+         }
+      }
+      version = 1
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2ec51be
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = 3des-md5-modp1024
+         }
+      }
+      version = 1
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/ikev1-algs/alg-3des-md5/posttest.dat

similarity index 63%

rename from testing/tests/swanctl/ocsp-signer-cert/posttest.dat

rename to testing/tests/ikev1-algs/alg-3des-md5/posttest.dat

index 20a78fa78f2e050258a583916f3b85471acff2cf..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat
+++ b/testing/tests/ikev1-algs/alg-3des-md5/posttest.dat
@@ -1,3 +1,2 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
  moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/ikev1-algs/alg-3des-md5/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/pretest.dat

rename to testing/tests/ikev1-algs/alg-3des-md5/pretest.dat
diff --git a/testing/tests/swanctl/protoport-dual/test.conf b/testing/tests/ikev1-algs/alg-3des-md5/test.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/test.conf

rename to testing/tests/ikev1-algs/alg-3des-md5/test.conf
diff --git a/testing/tests/ikev2/alg-blowfish/description.txt b/testing/tests/ikev1-algs/alg-blowfish/description.txt

similarity index 58%

rename from testing/tests/ikev2/alg-blowfish/description.txt

rename to testing/tests/ikev1-algs/alg-blowfish/description.txt

index 24b50b909be311f221d409ff3e26f84759be5399..47f559ba7a0206f4710368510ee427593d8a5c6e 100644 (file)
--- a/testing/tests/ikev2/alg-blowfish/description.txt
+++ b/testing/tests/ikev1-algs/alg-blowfish/description.txt
@@ -1,6 +1,5 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP encryption.
+<p/>
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat b/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat

new file mode 100644 (file)

index 0000000..23e96ea
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat
@@ -0,0 +1,12 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 192::YES
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..20cb079
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish128-sha256-modp1536
+         }
+      }
+      version = 1
+      proposals = blowfish128-sha256-modp1536
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..a52007a
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048
+         }
+      }
+      version = 1
+      proposals = blowfish256-sha512-modp2048
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1d27eca
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048,blowfish128-sha256-modp1536
+         }
+      }
+      version = 1
+      proposals = blowfish256-sha512-modp2048,blowfish128-sha256-modp1536
+   }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev1-algs/alg-blowfish/posttest.dat

similarity index 78%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat

rename to testing/tests/ikev1-algs/alg-blowfish/posttest.dat

index b517a1adf3244f206da471d1dcac826592441fab..86f297255bf64c6007cc3cb990d9ffc519720fc8 100644 (file)
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev1-algs/alg-blowfish/posttest.dat
@@ -1,4 +1,3 @@
+moon::systemctl stop strongswan
  carol::systemctl stop strongswan
  dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
diff --git a/testing/tests/ikev1-algs/alg-blowfish/pretest.dat b/testing/tests/ikev1-algs/alg-blowfish/pretest.dat

new file mode 100644 (file)

index 0000000..6020ff4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-blowfish/pretest.dat
@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/frags-ipv4/test.conf b/testing/tests/ikev1-algs/alg-blowfish/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/frags-ipv4/test.conf

rename to testing/tests/ikev1-algs/alg-blowfish/test.conf
diff --git a/testing/tests/ikev1/alg-modp-subgroup/description.txt b/testing/tests/ikev1-algs/alg-modp-subgroup/description.txt

similarity index 76%

rename from testing/tests/ikev1/alg-modp-subgroup/description.txt

rename to testing/tests/ikev1-algs/alg-modp-subgroup/description.txt

index cb7d117201b696c98f0b9818cb267e25cd00923d..ff497bebf64390f6b6574b2a03593571f37227eb 100644 (file)
--- a/testing/tests/ikev1/alg-modp-subgroup/description.txt
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/description.txt
@@ -1,4 +1,4 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b> using the <b>MODP Diffie-Hellman Groups 22, 23, and 24</b>
  with <b>Prime Order Subgroups</b>.
  <p/>
@@ -7,8 +7,5 @@ with <b>Prime Order Subgroups</b>.
  Since <b>moon</b> does not support MODP_2048_224 the roadwarriors fall back to
  MODP_1024_160 and MODP_2048_256, respectively.
  <p/>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat

new file mode 100644 (file)

index 0000000..34df834
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

similarity index 70%

rename from testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

index be00a11eb21f7218f2a810cbf63fccb56a365528..1a3653375f7ff2ed94967fb9adebf0440225d682 100644 (file)
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..57d4cc4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha1
+         }
+      }
+      version = 1
+      proposals = aes128-sha1-modp2048s224,aes128-sha1-modp1024s160
+   }
+}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

similarity index 70%

rename from testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

index be00a11eb21f7218f2a810cbf63fccb56a365528..1a3653375f7ff2ed94967fb9adebf0440225d682 100644 (file)
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0d92eb5
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-modp2048s224,aes128-sha256-modp2048s256
+   }
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

similarity index 70%

rename from testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

index be00a11eb21f7218f2a810cbf63fccb56a365528..1a3653375f7ff2ed94967fb9adebf0440225d682 100644 (file)
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f6649f6
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-sha1
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-modp2048s256,aes128-sha1-modp1024s160
+   }
+}
diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat

similarity index 50%

rename from testing/tests/swanctl/crl-to-cache/posttest.dat

rename to testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat

index f97a66b33ecccc873dcfc01e230465c04d3f110e..86f297255bf64c6007cc3cb990d9ffc519720fc8 100644 (file)
--- a/testing/tests/swanctl/crl-to-cache/posttest.dat
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat
@@ -1,4 +1,3 @@
-carol::systemctl stop strongswan
  moon::systemctl stop strongswan
-moon::rm /etc/swanctl/x509crl/*
-carol::rm /etc/swanctl/x509crl/*
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat

new file mode 100644 (file)

index 0000000..6020ff4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat
@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ip-pool/test.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/ip-pool/test.conf

rename to testing/tests/ikev1-algs/alg-modp-subgroup/test.conf
diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1-algs/alg-sha256/description.txt

similarity index 67%

rename from testing/tests/ikev1/esp-alg-null/description.txt

rename to testing/tests/ikev1-algs/alg-sha256/description.txt

index 7fe79b6ea8d6330be9900a184dc6a032241d1328..d50811d7d1fd8ec01c286fc72d192060102429a1 100644 (file)
--- a/testing/tests/ikev1/esp-alg-null/description.txt
+++ b/testing/tests/ikev1-algs/alg-sha256/description.txt
@@ -1,3 +1,4 @@
  Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>NULL / HMAC_SHA256_128</b> by defining <b>esp=null-sha256</b> in ipsec.conf.
+<b>aes128-sha256-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
  A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/alg-sha256/evaltest.dat b/testing/tests/ikev1-algs/alg-sha256/evaltest.dat

new file mode 100644 (file)

index 0000000..4074cec
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha256/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf

similarity index 91%

rename from testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf

index d9c31430be44471da0789f95748bc124e790f1e9..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon-systemd {
+charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..688e1b0
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf

similarity index 68%

rename from testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7a00fd5
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-sha256/posttest.dat b/testing/tests/ikev1-algs/alg-sha256/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha256/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/ikev1-algs/alg-sha256/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-signer-cert/pretest.dat

rename to testing/tests/ikev1-algs/alg-sha256/pretest.dat
diff --git a/testing/tests/swanctl/protoport-range/test.conf b/testing/tests/ikev1-algs/alg-sha256/test.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-range/test.conf

rename to testing/tests/ikev1-algs/alg-sha256/test.conf
diff --git a/testing/tests/ikev2/esp-alg-md5-128/description.txt b/testing/tests/ikev1-algs/alg-sha384/description.txt

similarity index 66%

rename from testing/tests/ikev2/esp-alg-md5-128/description.txt

rename to testing/tests/ikev1-algs/alg-sha384/description.txt

index 7a14be2ae9e108ae63982f3f842190656435c7c9..6e844c66f2be4b4d2825c62a086c9e9edd48524e 100644 (file)
--- a/testing/tests/ikev2/esp-alg-md5-128/description.txt
+++ b/testing/tests/ikev1-algs/alg-sha384/description.txt
@@ -1,3 +1,4 @@
  Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>3DES_CBC / HMAC_MD5_128</b> by defining <b>esp=3des-md5_128!</b> in ipsec.conf.
+<b>aes192-sha384-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
  A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/alg-sha384/evaltest.dat b/testing/tests/ikev1-algs/alg-sha384/evaltest.dat

new file mode 100644 (file)

index 0000000..092bb97
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha384/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf

similarity index 68%

rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..10c709f
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes192-sha384-x25519
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-x25519
+   }
+}
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf

similarity index 68%

rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..50e6f3b
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes192-sha384-x25519
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-sha384/posttest.dat b/testing/tests/ikev1-algs/alg-sha384/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha384/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/ikev1-algs/alg-sha384/pretest.dat

similarity index 70%

rename from testing/tests/swanctl/crl-to-cache/pretest.dat

rename to testing/tests/ikev1-algs/alg-sha384/pretest.dat

index 1cf07245b02327d7604a6f19c93846e8c1e15414..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/swanctl/crl-to-cache/pretest.dat
+++ b/testing/tests/ikev1-algs/alg-sha384/pretest.dat
@@ -2,4 +2,4 @@ moon::systemctl start strongswan
  carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1-algs/alg-sha384/test.conf

similarity index 91%

rename from testing/tests/ikev1/esp-alg-aes-xcbc/test.conf

rename to testing/tests/ikev1-algs/alg-sha384/test.conf

index d7b71426cf43cf00598fede7f6f1832a1f8e98eb..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev1-algs/alg-sha384/test.conf
@@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon"
  #
  IPSECHOSTS="moon carol"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/description.txt b/testing/tests/ikev1-algs/alg-sha512/description.txt

similarity index 64%

rename from testing/tests/ikev2/esp-alg-sha1-160/description.txt

rename to testing/tests/ikev1-algs/alg-sha512/description.txt

index caa1d3f8aa75c8cb0c05b72dcdbeb5748eed9771..0668edc86320172891322b725ee5973c037618b0 100644 (file)
--- a/testing/tests/ikev2/esp-alg-sha1-160/description.txt
+++ b/testing/tests/ikev1-algs/alg-sha512/description.txt
@@ -1,3 +1,4 @@
  Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA1_160</b> by defining <b>esp=aes128-sha1_160!</b> in ipsec.conf.
+<b>aes256-sha512-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
  A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/alg-sha512/evaltest.dat b/testing/tests/ikev1-algs/alg-sha512/evaltest.dat

new file mode 100644 (file)

index 0000000..593d1a3
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0eefd98
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes256-sha512-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..884e8d9
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes256-sha512-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/alg-sha512/posttest.dat b/testing/tests/ikev1-algs/alg-sha512/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/alg-sha512/pretest.dat b/testing/tests/ikev1-algs/alg-sha512/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/alg-sha512/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev1-algs/alg-sha512/test.conf

similarity index 90%

rename from testing/tests/ikev2/alg-aes-ctr/test.conf

rename to testing/tests/ikev1-algs/alg-sha512/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev2/alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1-algs/alg-sha512/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt

new file mode 100644 (file)

index 0000000..e2c65d8
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128ccm12-x25519</b> or alternatively <b>aes128ccm96-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat

new file mode 100644 (file)

index 0000000..8bfc8e0
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0152b19
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128ccm12-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4fc57b4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128ccm96-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf

similarity index 90%

rename from testing/tests/ikev2/alg-aes-gcm/test.conf

rename to testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt

new file mode 100644 (file)

index 0000000..aebf5ae
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes256ctr-aesxcbc-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat

new file mode 100644 (file)

index 0000000..16598e9
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d663f64
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes256ctr-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2572693
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes256ctr-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf

similarity index 90%

rename from testing/tests/ikev2/alg-3des-md5/test.conf

rename to testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt

new file mode 100644 (file)

index 0000000..5586f96
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128gcm16-x25519</b> or alternatively <b>aes128gcm128-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat

new file mode 100644 (file)

index 0000000..ce23a5c
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d76560a
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..abd5c31
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt

new file mode 100644 (file)

index 0000000..9cea5fa
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128gmac-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat

new file mode 100644 (file)

index 0000000..5122971
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4de56df
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gmac-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ab4d129
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gmac-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt

new file mode 100644 (file)

index 0000000..64fcc26
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128-aesxcbc-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat

new file mode 100644 (file)

index 0000000..e441ab0
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7e170e7
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..93b7a9d
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1-algs/esp-alg-null/description.txt b/testing/tests/ikev1-algs/esp-alg-null/description.txt

new file mode 100644 (file)

index 0000000..064906b
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>null-sha256-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat

new file mode 100644 (file)

index 0000000..06180cd
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ea517dc
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = null-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7062549
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = null-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1-algs/esp-alg-null/posttest.dat b/testing/tests/ikev1-algs/esp-alg-null/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1-algs/esp-alg-null/pretest.dat b/testing/tests/ikev1-algs/esp-alg-null/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1-algs/esp-alg-null/test.conf b/testing/tests/ikev1-algs/esp-alg-null/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev1-algs/esp-alg-null/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/.gitignore b/testing/tests/ikev1-multi-ca/.gitignore

similarity index 50%

rename from testing/tests/swanctl/.gitignore

rename to testing/tests/ikev1-multi-ca/.gitignore

index 85ae4a3a3ba932b4bb3eaa20b68ac4a43c23dfbd..cfaad761185d40177540b073395b72a2b8c6f6a8 100644 (file)
--- a/testing/tests/swanctl/.gitignore
+++ b/testing/tests/ikev1-multi-ca/.gitignore
@@ -1,2 +1 @@
  *.pem
-*.der
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt b/testing/tests/ikev1-multi-ca/certreq-init/description.txt

similarity index 58%

rename from testing/tests/ikev1/multi-level-ca-cr-init/description.txt

rename to testing/tests/ikev1-multi-ca/certreq-init/description.txt

index 602d026c2da9a54d6188e845c78fd2d8d47316fd..f4f80282f00adf2a30ca98472e4a8e6e3512f2fe 100644 (file)
--- a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt
+++ b/testing/tests/ikev1-multi-ca/certreq-init/description.txt
@@ -1,6 +1,6 @@
  The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
  <b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
-in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
-the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
-copies of the Research and Sales CA certificates and must therefore request them from
-the responders <b>carol</b> and <b>dave</b>, respectively.
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certif
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does
+not possess copies of the Research and Sales CA certificates and must therefore
+request them from the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat b/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat

new file mode 100644 (file)

index 0000000..f9c149f
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..586ac94
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..12ff650
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f007453
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,50 @@
+connections {
+
+   carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+
+   dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat b/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat

new file mode 100644 (file)

index 0000000..e0fe01f
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat b/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat

new file mode 100644 (file)

index 0000000..40b78ee
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat
@@ -0,0 +1,9 @@
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::systemctl start strongswan
+carol::expect-connection moon
+moon::expect-connection carol
+moon::swanctl --initiate --child alice 2> /dev/null
+dave::expect-connection moon
+moon::expect-connection dave
+moon::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/multi-level-ca-l3/test.conf b/testing/tests/ikev1-multi-ca/certreq-init/test.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/test.conf

rename to testing/tests/ikev1-multi-ca/certreq-init/test.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/description.txt b/testing/tests/ikev1-multi-ca/certreq-resp/description.txt

new file mode 100644 (file)

index 0000000..0922638
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates
+from the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b>
+does not possess copies of the Research and Sales CA certificates and must therefore
+request them from the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat

new file mode 100644 (file)

index 0000000..f9c149f
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..586ac94
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..12ff650
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f007453
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,50 @@
+connections {
+
+   carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+
+   dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat

new file mode 100644 (file)

index 0000000..e0fe01f
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat

new file mode 100644 (file)

index 0000000..b3a7ac3
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat
@@ -0,0 +1,9 @@
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::systemctl start strongswan
+moon::expect-connection carol
+carol::expect-connection moon
+carol::swanctl --initiate --child alice 2> /dev/null
+moon::expect-connection dave
+dave::expect-connection moon
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/multi-level-ca/test.conf b/testing/tests/ikev1-multi-ca/certreq-resp/test.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/test.conf

rename to testing/tests/ikev1-multi-ca/certreq-resp/test.conf
diff --git a/testing/tests/ikev1/multi-level-ca/description.txt b/testing/tests/ikev1-multi-ca/crls/description.txt

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca/description.txt

rename to testing/tests/ikev1-multi-ca/crls/description.txt
diff --git a/testing/tests/ikev1-multi-ca/crls/evaltest.dat b/testing/tests/ikev1-multi-ca/crls/evaltest.dat

new file mode 100644 (file)

index 0000000..f4318b7
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/crls/evaltest.dat
@@ -0,0 +1,18 @@
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=1 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=1 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bad0e8f
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f808d04
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c030745
--- /dev/null
+++ b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+   research {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = researchCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = salesCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca/posttest.dat b/testing/tests/ikev1-multi-ca/crls/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/posttest.dat

rename to testing/tests/ikev1-multi-ca/crls/posttest.dat
diff --git a/testing/tests/swanctl/multi-level-ca-l3/pretest.dat b/testing/tests/ikev1-multi-ca/crls/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/pretest.dat

rename to testing/tests/ikev1-multi-ca/crls/pretest.dat
diff --git a/testing/tests/swanctl/ocsp-multi-level/test.conf b/testing/tests/ikev1-multi-ca/crls/test.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/test.conf

rename to testing/tests/ikev1-multi-ca/crls/test.conf
diff --git a/testing/tests/ikev1-stroke/.gitignore b/testing/tests/ikev1-stroke/.gitignore

new file mode 100644 (file)

index 0000000..f8443fe
--- /dev/null
+++ b/testing/tests/ikev1-stroke/.gitignore
@@ -0,0 +1,4 @@
+*.crl
+*.der
+*.p12
+*.pem
diff --git a/testing/tests/ikev1-stroke/config-payload-push/description.txt b/testing/tests/ikev1-stroke/config-payload-push/description.txt

new file mode 100644 (file)

index 0000000..c385f5f
--- /dev/null
+++ b/testing/tests/ikev1-stroke/config-payload-push/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The gateway pushes <b>virtual IP</b> addresses to <b>carol</b> and <b>dave</b>via the IKEv1
+Mode Config protocol in <b>push</b> mode.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1/rw-ntru-psk/evaltest.dat b/testing/tests/ikev1-stroke/config-payload-push/evaltest.dat

similarity index 66%

rename from testing/tests/ikev1/rw-ntru-psk/evaltest.dat

rename to testing/tests/ikev1-stroke/config-payload-push/evaltest.dat

index 3a3de31a2e8da6652ae36d3d1817d4b5ef84065a..9471f884649fc857172754c3d69c81afebecfef6 100644 (file)
--- a/testing/tests/ikev1/rw-ntru-psk/evaltest.dat
+++ b/testing/tests/ikev1-stroke/config-payload-push/evaltest.dat
@@ -1,17 +1,21 @@
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
  carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
  carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
  dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
  dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw-carol.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-moon:: ipsec statusall 2> /dev/null::rw-dave.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
  moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
  moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b8817fe
--- /dev/null
+++ b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1-stroke/config-payload-push/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-blowfish/posttest.dat

rename to testing/tests/ikev1-stroke/config-payload-push/posttest.dat
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev1-stroke/config-payload-push/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/pretest.dat

rename to testing/tests/ikev1-stroke/config-payload-push/pretest.dat
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1-stroke/config-payload-push/test.conf

similarity index 100%

rename from testing/tests/ikev1/dynamic-two-peers/test.conf

rename to testing/tests/ikev1-stroke/config-payload-push/test.conf
diff --git a/testing/tests/ikev1-stroke/config-payload/description.txt b/testing/tests/ikev1-stroke/config-payload/description.txt

new file mode 100644 (file)

index 0000000..26d4cce
--- /dev/null
+++ b/testing/tests/ikev1-stroke/config-payload/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+protocol by using the <b>leftsourceip=%config</b> parameter.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test
+the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1-stroke/config-payload/evaltest.dat b/testing/tests/ikev1-stroke/config-payload/evaltest.dat

new file mode 100644 (file)

index 0000000..9471f88
--- /dev/null
+++ b/testing/tests/ikev1-stroke/config-payload/evaltest.dat
@@ -0,0 +1,26 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b8817fe
--- /dev/null
+++ b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1-stroke/config-payload/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-modp-subgroup/posttest.dat

rename to testing/tests/ikev1-stroke/config-payload/posttest.dat
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev1-stroke/config-payload/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/pretest.dat

rename to testing/tests/ikev1-stroke/config-payload/pretest.dat
diff --git a/testing/tests/ikev1/rw-ntru-psk/test.conf b/testing/tests/ikev1-stroke/config-payload/test.conf

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/test.conf

rename to testing/tests/ikev1-stroke/config-payload/test.conf
diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/ikev1-stroke/host2host-cert/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 61%

rename from testing/tests/swanctl/host2host-cert/description.txt

rename to testing/tests/ikev1-stroke/host2host-cert/description.txt

index 8f7e6e9..6be21bf
--- a/testing/tests/swanctl/host2host-cert/description.txt
+++ b/testing/tests/ikev1-stroke/host2host-cert/description.txt
@@ -1,6 +1,4 @@
  A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the updown script automatically
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev1-stroke/host2host-cert/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/evaltest.dat

rename to testing/tests/ikev1-stroke/host2host-cert/evaltest.dat
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev1-stroke/host2host-cert/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/posttest.dat

rename to testing/tests/ikev1-stroke/host2host-cert/posttest.dat
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev1-stroke/host2host-cert/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/pretest.dat

rename to testing/tests/ikev1-stroke/host2host-cert/pretest.dat
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev1-stroke/host2host-cert/test.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/test.conf

rename to testing/tests/ikev1-stroke/host2host-cert/test.conf
diff --git a/testing/tests/ikev1-stroke/host2host-transport/description.txt b/testing/tests/ikev1-stroke/host2host-transport/description.txt

new file mode 100644 (file)

index 0000000..fe3482c
--- /dev/null
+++ b/testing/tests/ikev1-stroke/host2host-transport/description.txt
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat b/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat

new file mode 100644 (file)

index 0000000..98251d1
--- /dev/null
+++ b/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-ntru-cert/posttest.dat b/testing/tests/ikev1-stroke/host2host-transport/posttest.dat

similarity index 99%

rename from testing/tests/ikev2/net2net-ntru-cert/posttest.dat

rename to testing/tests/ikev1-stroke/host2host-transport/posttest.dat

index 837738fc6ac7661098219147901d0be4dbfa24f2..1f7aa73a15246c938c27f4e67da2edcfc068f43e 100644 (file)
--- a/testing/tests/ikev2/net2net-ntru-cert/posttest.dat
+++ b/testing/tests/ikev1-stroke/host2host-transport/posttest.dat
@@ -2,4 +2,3 @@ moon::ipsec stop
  sun::ipsec stop
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev1-stroke/host2host-transport/pretest.dat b/testing/tests/ikev1-stroke/host2host-transport/pretest.dat

new file mode 100644 (file)

index 0000000..36a8423
--- /dev/null
+++ b/testing/tests/ikev1-stroke/host2host-transport/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection host-host
+moon::expect-connection host-host
+moon::ipsec up host-host
diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/ikev1-stroke/host2host-transport/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 90%

rename from testing/tests/swanctl/host2host-transport/test.conf

rename to testing/tests/ikev1-stroke/host2host-transport/test.conf

index 52d886d..5a286c8
--- a/testing/tests/swanctl/host2host-transport/test.conf
+++ b/testing/tests/ikev1-stroke/host2host-transport/test.conf
@@ -6,7 +6,7 @@
  # All guest instances that are required for this test
  #
  VIRTHOSTS="moon winnetou sun"
-
+ 
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev1-stroke/ip-pool-db/description.txt b/testing/tests/ikev1-stroke/ip-pool-db/description.txt

new file mode 100644 (file)

index 0000000..9cf0787
--- /dev/null
+++ b/testing/tests/ikev1-stroke/ip-pool-db/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+payload by using the <b>leftsourceip=%config</b> parameter. <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat b/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat

new file mode 100644 (file)

index 0000000..925e9a1
--- /dev/null
+++ b/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat
@@ -0,0 +1,38 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/ikev1-stroke/ip-pool-db/posttest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 50%

rename from testing/tests/swanctl/ip-pool-db/posttest.dat

rename to testing/tests/ikev1-stroke/ip-pool-db/posttest.dat

index b18231a..37436a3
--- a/testing/tests/swanctl/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1-stroke/ip-pool-db/posttest.dat
@@ -1,11 +1,9 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::ipsec pool --del big_pool 2> /dev/null
+moon::ipsec pool --del bigpool 2> /dev/null
  moon::ipsec pool --del dns 2> /dev/null
  moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/ikev1-stroke/ip-pool-db/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 66%

rename from testing/tests/swanctl/ip-pool-db/pretest.dat

rename to testing/tests/ikev1-stroke/ip-pool-db/pretest.dat

index 448aa26..c422045
--- a/testing/tests/swanctl/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1-stroke/ip-pool-db/pretest.dat
@@ -1,17 +1,17 @@
  moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
  moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
-moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
  moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev1-stroke/ip-pool-db/test.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/test.conf

rename to testing/tests/ikev1-stroke/ip-pool-db/test.conf
diff --git a/testing/tests/ikev1-stroke/ip-pool/description.txt b/testing/tests/ikev1-stroke/ip-pool/description.txt

new file mode 100644 (file)

index 0000000..eeaf4dd
--- /dev/null
+++ b/testing/tests/ikev1-stroke/ip-pool/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1-stroke/ip-pool/evaltest.dat b/testing/tests/ikev1-stroke/ip-pool/evaltest.dat

new file mode 100644 (file)

index 0000000..c558592
--- /dev/null
+++ b/testing/tests/ikev1-stroke/ip-pool/evaltest.dat
@@ -0,0 +1,30 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/rw-ntru-psk/posttest.dat b/testing/tests/ikev1-stroke/ip-pool/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/posttest.dat

rename to testing/tests/ikev1-stroke/ip-pool/posttest.dat
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1-stroke/ip-pool/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-blowfish/pretest.dat

rename to testing/tests/ikev1-stroke/ip-pool/pretest.dat
diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1-stroke/ip-pool/test.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/test.conf

rename to testing/tests/ikev1-stroke/ip-pool/test.conf
diff --git a/testing/tests/ikev1-stroke/nat-rw/description.txt b/testing/tests/ikev1-stroke/nat-rw/description.txt

new file mode 100644 (file)

index 0000000..afcb6ab
--- /dev/null
+++ b/testing/tests/ikev1-stroke/nat-rw/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel,
+the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1-stroke/nat-rw/evaltest.dat b/testing/tests/ikev1-stroke/nat-rw/evaltest.dat

new file mode 100644 (file)

index 0000000..2d265b0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf

similarity index 89%

rename from testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf

index ea9e55c5faea75b177c68d54a8d96f9d8e37430b..9d07c88e40d04298e0018e9385b871f491ebda24 100644 (file)
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf
@@ -3,5 +3,5 @@
  charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
  
-  fragment_size = 1088
+  keep_alive = 5
  }
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules

rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf

similarity index 89%

rename from testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf

index ea9e55c5faea75b177c68d54a8d96f9d8e37430b..9d07c88e40d04298e0018e9385b871f491ebda24 100644 (file)
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf
@@ -3,5 +3,5 @@
  charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
  
-  fragment_size = 1088
+  keep_alive = 5
  }
diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/ikev1-stroke/nat-rw/posttest.dat

similarity index 62%

rename from testing/tests/swanctl/nat-rw-psk/posttest.dat

rename to testing/tests/ikev1-stroke/nat-rw/posttest.dat

index 5f390cd62cde61669d9e4fd519b6bfc8c03273ca..bc7d2377107607c7beee6e0dc4d2d21556278cec 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev1-stroke/nat-rw/posttest.dat
@@ -1,6 +1,6 @@
-sun::systemctl stop strongswan
-alice::systemctl stop strongswan
-venus::systemctl stop strongswan
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
  alice::iptables-restore < /etc/iptables.flush
  venus::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/ikev1-stroke/nat-rw/pretest.dat

similarity index 71%

rename from testing/tests/swanctl/nat-rw/pretest.dat

rename to testing/tests/ikev1-stroke/nat-rw/pretest.dat

index a1f1cffea79e137c336077445409df93fa26e574..36d23b5704d593683a62caf30834163525d9ea02 100644 (file)
--- a/testing/tests/swanctl/nat-rw/pretest.dat
+++ b/testing/tests/ikev1-stroke/nat-rw/pretest.dat
@@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::systemctl start strongswan
-alice::systemctl start strongswan
-venus::systemctl start strongswan
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
  sun::expect-connection nat-t
  alice::expect-connection nat-t
-alice::swanctl --initiate --child nat-t
+alice::ipsec up nat-t
  venus::expect-connection nat-t
-venus::swanctl --initiate --child nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/ikev1-stroke/nat-rw/test.conf

similarity index 91%

rename from testing/tests/swanctl/nat-rw-psk/test.conf

rename to testing/tests/ikev1-stroke/nat-rw/test.conf

index ecc95b837581aaf93af77826f00a6a4fba9bbbd1..f515d4bc7320398fc86e982ecd05e676e602c262 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/test.conf
+++ b/testing/tests/ikev1-stroke/nat-rw/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1-stroke/net2net-cert/description.txt

similarity index 67%

rename from testing/tests/ikev1/net2net-fragmentation/description.txt

rename to testing/tests/ikev1-stroke/net2net-cert/description.txt

index 6fe773299d41277f6ea1f1e1201aa314ca1f72e7..16176341473400dc06758e533cc2749f07674186 100644 (file)
--- a/testing/tests/ikev1/net2net-fragmentation/description.txt
+++ b/testing/tests/ikev1-stroke/net2net-cert/description.txt
@@ -1,7 +1,5 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
-protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
-certificates.
+The authentication is based on <b>X.509 certificates</b>.
  <p/>
  Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev1-stroke/net2net-cert/evaltest.dat

similarity index 68%

rename from testing/tests/ikev2/net2net-ntru-cert/evaltest.dat

rename to testing/tests/ikev1-stroke/net2net-cert/evaltest.dat

index 1ac624e40a07bb691ed675bf5c302a6cb80741c6..fe4aa5ab10de4b3daa50604d257ed87063aa63ff 100644 (file)
--- a/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat
+++ b/testing/tests/ikev1-stroke/net2net-cert/evaltest.dat
@@ -2,8 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
  sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
  moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
  sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
-sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1-stroke/net2net-cert/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/net2net-fragmentation/posttest.dat

rename to testing/tests/ikev1-stroke/net2net-cert/posttest.dat
diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1-stroke/net2net-cert/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/net2net-fragmentation/pretest.dat

rename to testing/tests/ikev1-stroke/net2net-cert/pretest.dat
diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1-stroke/net2net-cert/test.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-fragmentation/test.conf

rename to testing/tests/ikev1-stroke/net2net-cert/test.conf
diff --git a/testing/tests/swanctl/net2net-psk/description.txt b/testing/tests/ikev1-stroke/net2net-psk/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 80%

rename from testing/tests/swanctl/net2net-psk/description.txt

rename to testing/tests/ikev1-stroke/net2net-psk/description.txt

index e064a99..07320d7
--- a/testing/tests/swanctl/net2net-psk/description.txt
+++ b/testing/tests/ikev1-stroke/net2net-psk/description.txt
@@ -1,7 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>Preshared Keys</b> (PSK).
  <p/>
-Upon the successful establishment of the IPsec tunnel, the updown script automatically
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev1-stroke/net2net-psk/evaltest.dat

similarity index 68%

rename from testing/tests/ikev1/net2net-ntru-cert/evaltest.dat

rename to testing/tests/ikev1-stroke/net2net-psk/evaltest.dat

index 1ac624e40a07bb691ed675bf5c302a6cb80741c6..fe4aa5ab10de4b3daa50604d257ed87063aa63ff 100644 (file)
--- a/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat
+++ b/testing/tests/ikev1-stroke/net2net-psk/evaltest.dat
@@ -2,8 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
  sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
  moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
  sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
-sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-rekey/posttest.dat b/testing/tests/ikev1-stroke/net2net-psk/posttest.dat

similarity index 99%

rename from testing/tests/ikev2/net2net-rekey/posttest.dat

rename to testing/tests/ikev1-stroke/net2net-psk/posttest.dat

index 837738fc6ac7661098219147901d0be4dbfa24f2..1f7aa73a15246c938c27f4e67da2edcfc068f43e 100644 (file)
--- a/testing/tests/ikev2/net2net-rekey/posttest.dat
+++ b/testing/tests/ikev1-stroke/net2net-psk/posttest.dat
@@ -2,4 +2,3 @@ moon::ipsec stop
  sun::ipsec stop
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev1-stroke/net2net-psk/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/pretest.dat

rename to testing/tests/ikev1-stroke/net2net-psk/pretest.dat
diff --git a/testing/tests/ikev2/net2net-cert-sha2/test.conf b/testing/tests/ikev1-stroke/net2net-psk/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/test.conf

rename to testing/tests/ikev1-stroke/net2net-psk/test.conf
diff --git a/testing/tests/swanctl/protoport-dual/description.txt b/testing/tests/ikev1-stroke/protoport-dual/description.txt

similarity index 54%

rename from testing/tests/swanctl/protoport-dual/description.txt

rename to testing/tests/ikev1-stroke/protoport-dual/description.txt

index 35c5b3967a1006900c587a85ebfbbf8d988f7327..7bed8b9590d4fa84fbf15f969da55827bcb1dd7a 100644 (file)
--- a/testing/tests/swanctl/protoport-dual/description.txt
+++ b/testing/tests/ikev1-stroke/protoport-dual/description.txt
@@ -1,7 +1,6 @@
-Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
-<b>local_ts</b> and <b>remote_ts</b> child parameters, two IPsec tunnels
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
-The first CHILD_SA is restricted to ICMP packets and the second
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
  covers TCP-based SSH connections. The established tunnels are tested
  by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
  then setting up an SSH session to the same client.
diff --git a/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat b/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat

new file mode 100644 (file)

index 0000000..7d367e3
--- /dev/null
+++ b/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1-stroke/protoport-dual/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-3des-md5/posttest.dat

rename to testing/tests/ikev1-stroke/protoport-dual/posttest.dat
diff --git a/testing/tests/ikev1-stroke/protoport-dual/pretest.dat b/testing/tests/ikev1-stroke/protoport-dual/pretest.dat

new file mode 100644 (file)

index 0000000..02f4aa8
--- /dev/null
+++ b/testing/tests/ikev1-stroke/protoport-dual/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-icmp
+moon::expect-connection rw-ssh
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
+carol::ipsec up home-icmp
+carol::ipsec up home-ssh
diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1-stroke/protoport-dual/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-3des-md5/test.conf

rename to testing/tests/ikev1-stroke/protoport-dual/test.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url/description.txt b/testing/tests/ikev1-stroke/rw-cert/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 82%

rename from testing/tests/swanctl/rw-hash-and-url/description.txt

rename to testing/tests/ikev1-stroke/rw-cert/description.txt

index 6af7a39..15b3822
--- a/testing/tests/swanctl/rw-hash-and-url/description.txt
+++ b/testing/tests/ikev1-stroke/rw-cert/description.txt
@@ -1,6 +1,6 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, the updown script
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1-stroke/rw-cert/evaltest.dat

similarity index 83%

rename from testing/tests/ikev1/alg-modp-subgroup/evaltest.dat

rename to testing/tests/ikev1-stroke/rw-cert/evaltest.dat

index 0543bcccb8414fcd6c0a045b315f00ae34d9c73a..be78c51259f19e761bf87270f51fb494f486db9a 100644 (file)
--- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev1-stroke/rw-cert/evaltest.dat
@@ -6,8 +6,6 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
  moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..7b9888e
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..7b9888e
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..57498d5
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  integrity_test = yes
+
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1-stroke/rw-cert/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/posttest.dat

rename to testing/tests/ikev1-stroke/rw-cert/posttest.dat
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-stroke/rw-cert/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-modp-subgroup/pretest.dat

rename to testing/tests/ikev1-stroke/rw-cert/pretest.dat
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1-stroke/rw-cert/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-blowfish/test.conf

rename to testing/tests/ikev1-stroke/rw-cert/test.conf
diff --git a/testing/tests/swanctl/rw-psk-fqdn/description.txt b/testing/tests/ikev1-stroke/rw-psk-fqdn/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/description.txt

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/description.txt
diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat

new file mode 100644 (file)

index 0000000..4dfc92f
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-blowfish/posttest.dat

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/posttest.dat
diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/pretest.dat

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat

index 1e38590b66c3395438f80b781bf81a664c0f6f8f..0fb389dabfa4f0590a154043624b18b7bc2e836e 100644 (file)
--- a/testing/tests/ikev1/rw-ntru-psk/pretest.dat
+++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat
@@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules
  moon::rm /etc/ipsec.d/cacerts/*
  carol::rm /etc/ipsec.d/cacerts/*
  dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
  carol::ipsec start
  dave::ipsec start
-moon::ipsec start
  moon::expect-connection rw-carol
  carol::expect-connection home
  carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-modp-subgroup/test.conf

rename to testing/tests/ikev1-stroke/rw-psk-fqdn/test.conf
diff --git a/testing/tests/swanctl/rw-psk-ipv4/description.txt b/testing/tests/ikev1-stroke/rw-psk-ipv4/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ipv4/description.txt

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/description.txt
diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat

new file mode 100644 (file)

index 0000000..4e08d59
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-modp-subgroup/posttest.dat

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/posttest.dat
diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat

new file mode 100644 (file)

index 0000000..0fb389d
--- /dev/null
+++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::ipsec up home
+moon::expect-connection rw-dave
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/test.conf

similarity index 100%

rename from testing/tests/ikev2/alg-blowfish/test.conf

rename to testing/tests/ikev1-stroke/rw-psk-ipv4/test.conf
diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1-stroke/virtual-ip/description.txt

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/description.txt

rename to testing/tests/ikev1-stroke/virtual-ip/description.txt
diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1-stroke/virtual-ip/evaltest.dat

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/evaltest.dat

rename to testing/tests/ikev1-stroke/virtual-ip/evaltest.dat
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev1-stroke/virtual-ip/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/posttest.dat

rename to testing/tests/ikev1-stroke/virtual-ip/posttest.dat
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1-stroke/virtual-ip/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/pretest.dat

rename to testing/tests/ikev1-stroke/virtual-ip/pretest.dat
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev1-stroke/virtual-ip/test.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/test.conf

rename to testing/tests/ikev1-stroke/virtual-ip/test.conf
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt b/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt

new file mode 100644 (file)

index 0000000..2a5eb8d
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>)
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
+<b>virtual IP</b> via the IKEv1 Mode Config protocol by using the <b>leftsourceip=%config</b>
+parameter. The virtual IP addresses are registered under the users' XAUTH identity.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat

new file mode 100644 (file)

index 0000000..210072e
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat
@@ -0,0 +1,24 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d6dcd99
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d6dcd99
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..4f0b4be
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown
+
+  dns1 = 192.168.0.150
+  dns2 = 10.1.0.20
+}
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/posttest.dat

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/posttest.dat
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/pretest.dat

rename to testing/tests/ikev1-stroke/xauth-id-psk-config/pretest.dat
diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf

new file mode 100644 (file)

index 0000000..9b1ec0b
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt b/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt

new file mode 100644 (file)

index 0000000..feb154d
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config
+protocol by using the <b>leftsourceip=%config</b> parameter.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat

new file mode 100644 (file)

index 0000000..13e4b26
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b635720
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/farp/posttest.dat

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/posttest.dat
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat

new file mode 100644 (file)

index 0000000..2eddae2
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-carol
+moon::expect-connection rw-dave
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/test.conf

similarity index 100%

rename from testing/tests/ikev2/alg-modp-subgroup/test.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/test.conf
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt

new file mode 100644 (file)

index 0000000..88351ff
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Hybrid Mode</b>.
+The authentication of <b>moon</b> is based on an RSA signature combined with a X.509 certificate,
+followed by an extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat

new file mode 100644 (file)

index 0000000..b482ddb
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b635720
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/forecast/posttest.dat

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/posttest.dat
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-blowfish/pretest.dat

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/pretest.dat
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/test.conf

rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/test.conf
diff --git a/testing/tests/ikev1-stroke/xauth-psk/description.txt b/testing/tests/ikev1-stroke/xauth-psk/description.txt

new file mode 100644 (file)

index 0000000..08816ef
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-psk/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>) followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names and passwords.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat b/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat

new file mode 100644 (file)

index 0000000..90cf05c
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..73a4271
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..73a4271
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..73a4271
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev1-stroke/xauth-psk/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/posttest.dat

rename to testing/tests/ikev1-stroke/xauth-psk/posttest.dat
diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/ikev1-stroke/xauth-psk/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 52%

rename from testing/tests/swanctl/rw-cert/pretest.dat

rename to testing/tests/ikev1-stroke/xauth-psk/pretest.dat

index 3d37a86..ee5bc7c
--- a/testing/tests/swanctl/rw-cert/pretest.dat
+++ b/testing/tests/ikev1-stroke/xauth-psk/pretest.dat
@@ -1,11 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1-stroke/xauth-psk/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/test.conf

rename to testing/tests/ikev1-stroke/xauth-psk/test.conf
diff --git a/testing/tests/ikev1-stroke/xauth-rsa/description.txt b/testing/tests/ikev1-stroke/xauth-rsa/description.txt

new file mode 100644 (file)

index 0000000..6ad07e9
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-rsa/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names equal to the <b>IKEv1 identities</b> carol@strongswan.org and
+dave@strongswan.org, respectively and corresponding user passwords defined and
+stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat b/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..90cf05c
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b635720
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..e3bada0
--- /dev/null
+++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1-stroke/xauth-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat

rename to testing/tests/ikev1-stroke/xauth-rsa/posttest.dat
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-stroke/xauth-rsa/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-modp-subgroup/pretest.dat

rename to testing/tests/ikev1-stroke/xauth-rsa/pretest.dat
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev1-stroke/xauth-rsa/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/test.conf

rename to testing/tests/ikev1-stroke/xauth-rsa/test.conf
diff --git a/testing/tests/ikev1/.gitignore b/testing/tests/ikev1/.gitignore

index cfaad761185d40177540b073395b72a2b8c6f6a8..f8443fea46737a0f87480cab4053876f5a551e92 100644 (file)
--- a/testing/tests/ikev1/.gitignore
+++ b/testing/tests/ikev1/.gitignore
@@ -1 +1,4 @@
+*.crl
+*.der
+*.p12
  *.pem
diff --git a/testing/tests/ikev1/alg-3des-md5/description.txt b/testing/tests/ikev1/alg-3des-md5/description.txt

deleted file mode 100644 (file)

index 4c39d0b..0000000
--- a/testing/tests/ikev1/alg-3des-md5/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat

deleted file mode 100644 (file)

index b5009aa..0000000
--- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES
-moon:: ip xfrm state::enc cbc(des3_ede)::YES
-carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth-trunc hmac(md5)::YES
-carol::ip xfrm state::auth-trunc hmac(md5)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 11874bb..0000000
--- a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=3des-md5-modp1024!
-       esp=3des-md5-modp1024!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 2c4f3fc..0000000
--- a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 41fb1f7..0000000
--- a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=3des-md5-modp1024!
-       esp=3des-md5-modp1024!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 66ff246..0000000
--- a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat

deleted file mode 100644 (file)

index a4f1f29..0000000
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index db409be..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=blowfish256-sha512-modp2048!
-       esp=blowfish192-sha384!
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index d69a7b8..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index fd3343c..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=blowfish128-sha256-modp1536!
-       esp=blowfish128-sha256!
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index a3c9999..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f3c84ec..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-       esp=blowfish192-sha384,blowfish128-sha256!
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index a3c9999..0000000
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 15b6ec8..0000000
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160!
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3f13273..0000000
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index b3f7654..0000000
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256!
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 192df5a..0000000
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160!
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt

deleted file mode 100644 (file)

index f7e5391..0000000
--- a/testing/tests/ikev1/alg-sha256/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-curve25519!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat

deleted file mode 100644 (file)

index d9ff947..0000000
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
-carol::ip xfrm state::auth-trunc hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 25fce18..0000000
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=aes128-sha256-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index b3e5df1..0000000
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=aes128-sha256-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt

deleted file mode 100644 (file)

index f96ea5c..0000000
--- a/testing/tests/ikev1/alg-sha384/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-curve25519!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat

deleted file mode 100644 (file)

index 3a53356..0000000
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
-carol::ip xfrm state::auth-trunc hmac(sha384)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 9e7f488..0000000
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes192-sha384-curve25519!
-       esp=aes192-sha384-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index d4c4a6f..0000000
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes192-sha384-curve25519!
-       esp=aes192-sha384-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt

deleted file mode 100644 (file)

index bf79a3b..0000000
--- a/testing/tests/ikev1/alg-sha512/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat

deleted file mode 100644 (file)

index 3c39e2c..0000000
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
-carol::ip xfrm state::auth-trunc hmac(sha512)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 7927211..0000000
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3f13273..0000000
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index bdfcb4e..0000000
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/compress/description.txt b/testing/tests/ikev1/compress/description.txt

index 47829839ddc75a4bacc386bc324f65f7c6189392..4c60384f0bdb6f9959adfbc87df2c137c4c7a7e5 100644 (file)
--- a/testing/tests/ikev1/compress/description.txt
+++ b/testing/tests/ikev1/compress/description.txt
@@ -1,3 +1,4 @@
-This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
-gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
-the established tunnel with compression.
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> check
+the established tunnel with compression. The packet sizes of the two pings
+are different because the kernel does not compress small packets.
diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat

index 2ec840c6828d132d05039a338d4bcb30b1012392..8715ef166b0f088e8fcf493b5d92708a4750ddd8 100644 (file)
--- a/testing/tests/ikev1/compress/evaltest.dat
+++ b/testing/tests/ikev1/compress/evaltest.dat
@@ -1,9 +1,8 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon:: ip xfrm state::proto comp spi::YES
  carol::ip xfrm state::proto comp spi::YES
-carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
  moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 291b8cc..0000000
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       compress=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..56a2840
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256-x25519
+            ipcomp = yes
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 28cf2d1..0000000
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       compress=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e3f2d02
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-x25519
+            ipcomp = yes
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/compress/posttest.dat b/testing/tests/ikev1/compress/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/ikev1/compress/posttest.dat
+++ b/testing/tests/ikev1/compress/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf

index d7b71426cf43cf00598fede7f6f1832a1f8e98eb..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon"
  #
  IPSECHOSTS="moon carol"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/config-payload-push/description.txt b/testing/tests/ikev1/config-payload-push/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 36f4779..f6929e2
--- a/testing/tests/ikev1/config-payload-push/description.txt
+++ b/testing/tests/ikev1/config-payload-push/description.txt
@@ -1,8 +1,10 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The gateway pushes <b>virtual IP</b> addresses to <b>carol</b> and <b>dave</b>via the IKEv1
-Mode Config protocol in <b>push</b> mode.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+protocol in <b>push</b> mode by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
  <p/>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the
-client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings
-will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to
+test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind
+the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual
+IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1/config-payload-push/evaltest.dat b/testing/tests/ikev1/config-payload-push/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 9471f88..3588712
--- a/testing/tests/ikev1/config-payload-push/evaltest.dat
+++ b/testing/tests/ikev1/config-payload-push/evaltest.dat
@@ -1,26 +1,16 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..ad4c18e
--- a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1879c5f
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+      pull = no
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..ad4c18e
--- a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ce816e9
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+      pull = no
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b8817fe..ad4c18e
--- a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf

new file mode 100755 (executable)

index 0000000..c1ccf07
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,18 @@
+      local_addrs  = 192.168.0.1
+      pull = no
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-curve25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-curve25519
diff --git a/testing/tests/ikev1/config-payload-push/posttest.dat b/testing/tests/ikev1/config-payload-push/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/config-payload-push/posttest.dat
+++ b/testing/tests/ikev1/config-payload-push/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bdbe341..28f600c
--- a/testing/tests/ikev1/config-payload-push/pretest.dat
+++ b/testing/tests/ikev1/config-payload-push/pretest.dat
@@ -1,11 +1,12 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/config-payload-push/test.conf b/testing/tests/ikev1/config-payload-push/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev1/config-payload-push/test.conf
+++ b/testing/tests/ikev1/config-payload-push/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/config-payload/description.txt b/testing/tests/ikev1/config-payload/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index ff6928e..19d3198
--- a/testing/tests/ikev1/config-payload/description.txt
+++ b/testing/tests/ikev1/config-payload/description.txt
@@ -1,7 +1,10 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
-tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
-<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
-and <b>dave1</b>, respectively.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+protocol by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to
+test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind
+the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual
+IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 9471f88..3588712
--- a/testing/tests/ikev1/config-payload/evaltest.dat
+++ b/testing/tests/ikev1/config-payload/evaltest.dat
@@ -1,26 +1,16 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..ad4c18e
--- a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2921311
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..ad4c18e
--- a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..9a29833
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b8817fe..ad4c18e
--- a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5b4f021
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol_vip
+
+      remote {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave_vip
+
+      remote {
+         auth = pubkey
+         id = dave@strongswan.org
+      }
+   }
+
+}
+
+pools {
+
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+
+   dave_vip {
+      addrs = 10.3.0.2
+   }
+}
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf

new file mode 100755 (executable)

index 0000000..cad2d03
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,17 @@
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-curve25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-curve25519
diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/config-payload/posttest.dat
+++ b/testing/tests/ikev1/config-payload/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bdbe341..28f600c
--- a/testing/tests/ikev1/config-payload/pretest.dat
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -1,11 +1,12 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev1/config-payload/test.conf
+++ b/testing/tests/ikev1/config-payload/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/double-nat-net/description.txt b/testing/tests/ikev1/double-nat-net/description.txt

index ff09155f6ebad40a1888352abbb7742a5f5af373..19fcf274ef6043bdcae0e0eff1aa4d67672c9a29 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/description.txt
+++ b/testing/tests/ikev1/double-nat-net/description.txt
@@ -1,7 +1,9 @@
  The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
  tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
  directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
-using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test the double NAT-ed IPsec
-tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
+using destination NAT. UDP encapsulation is used to traverse the NAT routers.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the double NAT-ed IPsec tunnel <b>alice</b> pings the inner IP address
+of the router <b>sun</b>.
+\ No newline at end of file
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat

index af29ce7b998edc6a46d04f4191762dd1676a9f6f..99fb91bfc67f8b06a712e74913f2b6ec29f07997 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,7 +1,5 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
-bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+bob::  swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
  alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf

deleted file mode 100644 (file)

index 836a8b3..0000000
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-               
-conn nat-t
-       left=%defaultroute
-       leftcert=aliceCert.pem
-       leftid=alice@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=bob@strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6c97f5c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      remote_addrs = sun.strongswan.org
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = bob@strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf

deleted file mode 100644 (file)

index fa1ccac..0000000
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn nat-t
-       left=%defaultroute
-       leftsubnet=10.2.0.0/16
-       leftcert=bobCert.pem
-       leftid=bob@strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..96f2295
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   nat-t {
+
+      local {
+         auth = pubkey
+         certs = bobCert.pem
+         id = bob@strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat

index ec663e70d9f58d60268d7428407cc897b8bfe752..5eee039227be5d7f751ae4919bae541d2353d3a4 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,5 +1,5 @@
-bob::ipsec stop
-alice::ipsec stop
+bob::systemctl stop strongswan
+alice::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  bob::iptables-restore < /etc/iptables.flush
  moon::iptables -t nat -F
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat

index 4b4c8ceaf381d74ba17c9fa6ab4b30dad1230f57..09dbe38c6d87969f36ff55b040abf353afe8ec9a 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -5,8 +5,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
  sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
  sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
  sun::ip route add 10.1.0.0/16 via PH_IP_BOB
-bob::ipsec start
-alice::ipsec start
+bob::systemctl start strongswan
+alice::systemctl start strongswan
  bob::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf

index d2e31d257a23fb35de55bff773b745e923922bfc..33e1825b8499d658ca0207e5c14a8448079881e3 100644 (file)
--- a/testing/tests/ikev1/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice bob"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/double-nat/description.txt b/testing/tests/ikev1/double-nat/description.txt

index ce7de0e56c8f715ffec4146fcb40510db8b6983c..1f2a6b734aa3398fe8d8856892f8e4849452e53a 100644 (file)
--- a/testing/tests/ikev1/double-nat/description.txt
+++ b/testing/tests/ikev1/double-nat/description.txt
@@ -1,5 +1,7 @@
  The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
  the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to
-traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based
-firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec
-tunnel <b>alice</b> pings <b>bob</b>.
+traverse the NAT routers.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the double NAT-ed IPsec tunnel <b>alice</b> pings <b>bob</b>.
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat

index 903226706e344a472d272d4a7ba89ed5a19c68f7..735c938ca71480926cf5dc44fe3526f2ec0484a5 100644 (file)
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,7 +1,5 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
-bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.10/32]::YES
+bob::  swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.2.0.10/32] remote-ts=\[10.1.0.10/32]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf

deleted file mode 100644 (file)

index 6b40252..0000000
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-               
-conn nat-t
-       left=%defaultroute
-       leftcert=aliceCert.pem
-       leftid=alice@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=bob@strongswan.org
-       rightsubnet=PH_IP_BOB/32
-       auto=add
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2a9897d
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      remote_addrs = sun.strongswan.org
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = bob@strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.10
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf

deleted file mode 100644 (file)

index 8964056..0000000
--- a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn nat-t
-       left=%defaultroute
-       leftcert=bobCert.pem
-       leftid=bob@strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f1d5c7d
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   nat-t {
+
+      local {
+         auth = pubkey
+         certs = bobCert.pem
+         id = bob@strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat

index f434b336c25aa80721dd3347c67d7faef1d1e6bc..7445fb4595f8b13ebe3968e979576c114f8fae18 100644 (file)
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,5 +1,5 @@
-bob::ipsec stop
-alice::ipsec stop
+bob::systemctl stop strongswan
+alice::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  bob::iptables-restore < /etc/iptables.flush
  moon::iptables -t nat -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat

index 5fe5eae49d0c30865b4dca169472188af819df79..5376a59ed8b2e9a0179bb8b0bc44bafddee957d2 100644 (file)
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -4,8 +4,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
  sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
  sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
-bob::ipsec start
-alice::ipsec start
+bob::systemctl start strongswan
+alice::systemctl start strongswan
  bob::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf

index d2e31d257a23fb35de55bff773b745e923922bfc..33e1825b8499d658ca0207e5c14a8448079881e3 100644 (file)
--- a/testing/tests/ikev1/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice bob"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt

index 0fb2f106492e319a802c4385056e3feaa59c8140..19cc5646c0aba46cc32d136294b67be7ebe1b412 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/description.txt
+++ b/testing/tests/ikev1/dpd-clear/description.txt
@@ -2,4 +2,3 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <
  which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
  When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
  <b>moon</b> clears the connection after a number of unsuccessful retransmits.
-
diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat

index 8d4fa03a86c54ad8fdbc7f3b237a92262aa55479..fddb7717775bc83546c2fd430fdd8f6c67567640 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev1/dpd-clear/evaltest.dat
@@ -1,7 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  moon:: sleep 16::no output expected::NO
  moon:: cat /var/log/daemon.log::sending DPD request::YES
  moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6812907..0000000
--- a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev1
-       auto=add
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d76560a
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 9219e70..0000000
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       dpdaction=clear
-       dpddelay=5
-       dpdtimeout=15
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b307d32
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+            dpd_action = clear
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+      dpd_delay = 5
+      dpd_timeout = 15
+   }
+}
diff --git a/testing/tests/ikev1/dpd-clear/posttest.dat b/testing/tests/ikev1/dpd-clear/posttest.dat

index 931db4272eabe52c0cc6931ac28fb394ccc15dc1..617eff3d7b43f368fdf3553699c66cfa06851cd4 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/posttest.dat
+++ b/testing/tests/ikev1/dpd-clear/posttest.dat
@@ -1,3 +1,3 @@
  carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/pretest.dat
+++ b/testing/tests/ikev1/dpd-clear/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev1/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt

index 6f4af9439341af6e41e0df566bf18937b0f52bbe..4c3e027d43a4dcb8da26d8d42643b66dd6abe264 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/description.txt
+++ b/testing/tests/ikev1/dpd-restart/description.txt
@@ -1,7 +1,7 @@
  The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
  <b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
-polling interval of 10s. When the network connectivity between <b>carol</b>
-and <b>moon</b> is forcefully disrupted for a duration of 100s, <b>moon</b>
-clears the connection after a number of unsuccessful retransmits whereas <b>carol</b>
-also takes down the connection but immediately tries to reconnect which succeeds
-as soon as the connection becomes available again.
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted, <b>moon</b> clears the connection after
+some unsuccessful retransmits whereas <b>carol</b> also takes down the connection
+but immediately tries to reconnect which succeeds as soon as the connection
+becomes available again.
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat

index a685ce166565371118a31bcf76706c8f60769170..97559e8e5166c889defd619903054a90917d9b28 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
  carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  carol::sleep 16::no output expected::NO
@@ -9,5 +9,5 @@ carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
  carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
  carol::sleep 2::no output expected::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 4e142d6..0000000
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       dpdaction=restart
-       dpddelay=5
-       dpdtimeout=15
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c54a1a3
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+            dpd_action = restart
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+      dpd_delay = 5
+      dpd_timeout = 15
+   }
+}
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 79db536..0000000
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       dpdaction=clear
-       dpddelay=10
-       dpdtimeout=45
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b307d32
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+            dpd_action = clear
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+      dpd_delay = 5
+      dpd_timeout = 15
+   }
+}
diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/posttest.dat
+++ b/testing/tests/ikev1/dpd-restart/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/pretest.dat
+++ b/testing/tests/ikev1/dpd-restart/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev1/dpd-restart/test.conf
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/dynamic-initiator/description.txt b/testing/tests/ikev1/dynamic-initiator/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 319ed63..6a3ca98
--- a/testing/tests/ikev1/dynamic-initiator/description.txt
+++ b/testing/tests/ikev1/dynamic-initiator/description.txt
@@ -1,12 +1,12 @@
-The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the
+<b>remote_addrs</b> field contains a <b>Fully Qualified Domain Name</b> (FQDN) which
+is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry).
+This will allow an IKE main mode rekeying to arrive from an arbitrary IP address
+under the condition that the peer identity remains unchanged. When this happens
  the old tunnel is replaced by an IPsec connection to the new origin.
  <p>
-In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
-suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
-old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some
+time <b>carol</b> suddenly changes her IP address and restarts the connection to
+<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking
+IKE packets to and from <b>carol</b> and starting the connection from host <b>dave</b>
+using <b>carol</b>'s identity).
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e3549f2..4fc2d3f
--- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -1,7 +1,5 @@
-carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
  moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index ef0d102..0000000
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1c489ef
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index ef0d102..0000000
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 6a2aea8..0000000
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1c489ef
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 6ab0ea5..0000000
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn carol
-       left=%any
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=%carol.strongswan.org
-       rightid=carol@strongswan.org
-       rightsourceip=PH_IP_CAROL1
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0f3a956
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   carol {
+      remote_addrs = carol.strongswan.org
+      pools = carol_vip
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         carol {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+      unique = replace
+   }
+}
+
+pools {
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 6898bd5..784b258
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -1,6 +1,5 @@
-dave::ipsec stop
-carol::ipsec stop
-moon::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  carol::iptables-restore < /etc/iptables.flush
-dave::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/private/*
+dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index a056e1d..704e1f1
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -1,11 +1,12 @@
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection carol
  carol::expect-connection moon
-carol::ipsec up moon
+carol::swanctl --initiate --child moon 2> /dev/null
  carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
  carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts
  dave::expect-connection moon
-dave::ipsec up moon
+dave::swanctl --initiate --child moon 2> /dev/null
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..37c3b73
--- a/testing/tests/ikev1/dynamic-initiator/test.conf
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="alice"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/dynamic-responder/description.txt b/testing/tests/ikev1/dynamic-responder/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 76471a9..f43948d
--- a/testing/tests/ikev1/dynamic-responder/description.txt
+++ b/testing/tests/ikev1/dynamic-responder/description.txt
@@ -1,13 +1,12 @@
-The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the
+<b>remote_addrs</b> field contains a <b>Fully Qualified Domain Name</b> (FQDN) which
+is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry).
+This will allow an IKE main mode rekeying to arrive from an arbitrary IP address
+under the condition that the peer identity remains unchanged. When this happens
  the old tunnel is replaced by an IPsec connection to the new origin.
  <p>
  In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
  the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
  <b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
  to and from <b>carol</b> and starting the connection from host <b>dave</b> using
-<b>carol</b>'s identity). 
+<b>carol</b>'s identity).
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e3549f2..377a0c2
--- a/testing/tests/ikev1/dynamic-responder/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -1,7 +1,5 @@
-carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
  moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index ef0d102..0000000
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1c489ef
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index ef0d102..0000000
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 6a2aea8..0000000
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1c489ef
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 6ab0ea5..0000000
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn carol
-       left=%any
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=%carol.strongswan.org
-       rightid=carol@strongswan.org
-       rightsourceip=PH_IP_CAROL1
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0f3a956
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   carol {
+      remote_addrs = carol.strongswan.org
+      pools = carol_vip
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         carol {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+      unique = replace
+   }
+}
+
+pools {
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+}
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 6898bd5..784b258
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -1,6 +1,5 @@
-dave::ipsec stop
-carol::ipsec stop
-moon::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  carol::iptables-restore < /etc/iptables.flush
-dave::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/private/*
+dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index f71d69f..22a10ca
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -1,13 +1,13 @@
  carol::iptables-restore < /etc/iptables.rules
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  carol::expect-connection moon
  moon::expect-connection carol
-moon::ipsec up carol
-moon::sleep 0.5
+moon::swanctl --initiate --child carol 2> /dev/null
+moon::sleep 1
  carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
  carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts
  dave::expect-connection moon
-dave::ipsec up moon
-moon::sleep 0.5
+dave::swanctl --initiate --child moon 2> /dev/null
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..37c3b73
--- a/testing/tests/ikev1/dynamic-responder/test.conf
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="alice"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt

deleted file mode 100644 (file)

index 56a1c07..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/description.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
-so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
-The ipsec starter resolves the fully-qualified hostname into the current IP address
-via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
-expected to change over time, the prefix '%' is used as an implicit alternative to the
-explicit <b>rightallowany=yes</b> option which will allow an IKE
-main mode rekeying to arrive from an arbitrary IP address under the condition that
-the peer identity remains unchanged. When this happens the old tunnel is replaced
-by an IPsec connection to the new origin.
-<p>
-In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
-<b>moon</b> which has a named connection definition for each peer. Although
-the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
-the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
-
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat

deleted file mode 100644 (file)

index 6666054..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index ef0d102..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index d635666..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn moon
-       left=%any
-       leftsourceip=%config
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale

deleted file mode 100644 (file)

index ebff4ec..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
+++ /dev/null
@@ -1,67 +0,0 @@
-# /etc/hosts:  This file describes a number of hostname-to-address
-#              mappings for the TCP/IP subsystem.  It is mostly
-#              used at boot time, when no name servers are running.
-#              On small systems, this file can be used instead of a
-#              "named" name server.  Just add the names, addresses
-#              and any aliases to this file...
-#
-
-127.0.0.1      localhost
-
-192.168.0.254  uml0.strongswan.org     uml0
-10.1.0.254     uml1.strongswan.org     uml1
-10.2.0.254     uml1.strongswan.org     uml2
-
-10.1.0.10      alice.strongswan.org    alice
-10.1.0.20      venus.strongswan.org    venus
-10.1.0.1       moon1.strongswan.org    moon1
-192.168.0.1    moon.strongswan.org     moon
-192.168.0.110  carol.strongswan.org    carol
-10.3.0.1       carol1.strongswan.org   carol1
-192.168.0.150  winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
-192.168.0.220  dave.strongswan.org     dave
-10.3.0.2       dave1.strongswan.org    dave1
-192.168.0.2    sun.strongswan.org      sun
-10.2.0.1       sun1.strongswan.org     sun1
-10.2.0.10      bob.strongswan.org      bob
-
-# IPv6 versions of localhost and co
-::1 ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
-
-# IPv6 solicited-node multicast addresses
-ff02::1:ff00:1 ip6-mcast-1
-ff02::1:ff00:2 ip6-mcast-2
-ff02::1:ff00:10        ip6-mcast-10
-ff02::1:ff00:15        ip6-mcast-15
-ff02::1:ff00:20        ip6-mcast-20
-
-# IPv6 site-local addresses
-fec1::10       ip6-alice.strongswan.org    ip6-alice
-fec1::20       ip6-venus.strongswan.org    ip6-venus
-fec1::1        ip6-moon1.strongswan.org    ip6-moon1
-fec0::1        ip6-moon.strongswan.org     ip6-moon
-fec0::10       ip6-carol.strongswan.org    ip6-carol
-fec3::1        ip6-carol1.strongswan.org   ip6-carol1
-fec0::15       ip6-winnetou.strongswan.org ip6-winnetou 
-fec0::20       ip6-dave.strongswan.org     ip6-dave
-fec3::2        ip6-dave1.strongswan.org    ip6-dave1
-fec0::2        ip6-sun.strongswan.org      ip6-sun
-fec2::1        ip6-sun1.strongswan.org     ip6-sun1
-fec2::10       ip6-bob.strongswan.org      ip6-bob
-
-# IPv6 link-local HW derived addresses
-fe80::fcfd:0aff:fe01:14        ip6-hw-venus.strongswan.org    ip6-hw-venus
-fe80::fcfd:0aff:fe01:0a        ip6-hw-alice.strongswan.org    ip6-hw-alice
-fe80::fcfd:0aff:fe01:01        ip6-hw-moon1.strongswan.org    ip6-hw-moon1
-fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
-fe80::fcfd:c0ff:fea8:64        ip6-hw-carol.strongswan.org    ip6-hw-carol
-fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
-fe80::fcfd:c0ff:fea8:c8        ip6-hw-dave.strongswan.org     ip6-hw-dave
-fe80::fcfd:c0ff:fea8:02        ip6-hw-sun.strongswan.org      ip6-hw-sun
-fe80::fcfd:0aff:fe02:01        ip6-hw-sun1.strongswan.org     ip6-hw-sun1
-fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 07cd498..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=%any
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-
-conn carol
-       right=%carol.strongswan.org
-       rightid=carol@strongswan.org
-       rightsourceip=PH_IP_CAROL1
-       auto=add
-
-conn dave
-       right=%dave.strongswan.org
-       rightid=dave@strongswan.org
-       rightsourceip=PH_IP_DAVE1
-       auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat

deleted file mode 100644 (file)

index e862b15..0000000
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::mv /etc/hosts /etc/hosts.ori
-moon::mv /etc/hosts.stale /etc/hosts
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::expect-connection carol
-carol::expect-connection moon
-carol::ipsec up moon
-dave::expect-connection moon
-dave::ipsec up moon
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat

deleted file mode 100644 (file)

index 4aceaa8..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
-carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
-carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 35b96c1..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=aes128ccm96-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 9692b64..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 40251f7..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=aes128ccm12-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt

deleted file mode 100644 (file)

index 5858267..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-curve25519</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat

deleted file mode 100644 (file)

index 79ab17c..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
-carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
-moon:: ip xfrm state::rfc3686(ctr(aes))::YES
-carol::ip xfrm state::rfc3686(ctr(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index ac835d0..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-curve25519!
-       esp=aes256ctr-aesxcbc-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 913afb4..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 5c7bbf8..0000000
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-curve25519!
-       esp=aes256ctr-aesxcbc-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt

deleted file mode 100644 (file)

index f112af6..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-curve25519</b> or alternatively
-<b>esp=aes256gcm128-curve25519</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat

deleted file mode 100644 (file)

index 25cd459..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6dddc28..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-curve25519!
-       esp=aes256gcm128-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 1d1cd4e..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index d98aaea..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-curve25519!
-       esp=aes256gcm16-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt

deleted file mode 100644 (file)

index 0d5eb10..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-curve25519!</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
-the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat

deleted file mode 100644 (file)

index 293b5ab..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
-carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
-carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index c6d77ca..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha256-curve25519!
-       esp=aes256gmac-curve25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f42aad2..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha256-curve25519!
-       esp=aes256gmac-curve25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt

deleted file mode 100644 (file)

index 0c39352..0000000
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
-the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat

deleted file mode 100644 (file)

index a3f8d80..0000000
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
-moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
-carol::ip xfrm state::auth-trunc xcbc(aes)::YES
-moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index a653bcd..0000000
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha256-curve25519!
-       esp=aes256-aesxcbc!
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index c5200b0..0000000
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 3e37c3c..0000000
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha256-curve25519!
-       esp=aes256-aesxcbc!
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat

deleted file mode 100644 (file)

index b80e9f7..0000000
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
-carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
-moon:: ip xfrm state::enc ecb(cipher_null)::YES
-carol::ip xfrm state::enc ecb(cipher_null)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index d436291..0000000
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=null-sha256!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index c17c581..0000000
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-curve25519!
-       esp=null-sha256!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev1/host2host-ah/description.txt b/testing/tests/ikev1/host2host-ah/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index dccdd52..f642038
--- a/testing/tests/ikev1/host2host-ah/description.txt
+++ b/testing/tests/ikev1/host2host-ah/description.txt
@@ -1,5 +1,6 @@
-An IPsec <b>AH transport-mode</b> connection using HMAC_SHA256 between the hosts
-<b>moon</b> and <b>sun</b> is successfully set up using IKEv1. <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the decrypted
-IP packets. In order to test the host-to-host connection <b>moon</b> pings
-<b>sun</b>.
+An IPsec <b>AH transport-mode</b> connection using HMAC_SHA256_128 between the hosts
+<b>moon</b> and <b>sun</b> is set up.The authentication is based on <b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the AH transport connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host connection <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-ah/evaltest.dat b/testing/tests/ikev1/host2host-ah/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1e50ef4..077081e
--- a/testing/tests/ikev1/host2host-ah/evaltest.dat
+++ b/testing/tests/ikev1/host2host-ah/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a05e5d0..0000000
--- a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       keyexchange=ikev1
-
-conn host-host
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       type=transport
-       ah=sha256!
-       auto=add
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..32a7697
--- a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5c61c95
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256
+            mode = transport
+
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 6851ffb..0000000
--- a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       keyexchange=ikev1
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       type=transport
-       ah=sha256!
-       auto=add
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..32a7697
--- a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2f798b3
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256
+            mode = transport
+        }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev1/host2host-ah/posttest.dat b/testing/tests/ikev1/host2host-ah/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev1/host2host-ah/posttest.dat
+++ b/testing/tests/ikev1/host2host-ah/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..f16a8d8
--- a/testing/tests/ikev1/host2host-ah/pretest.dat
+++ b/testing/tests/ikev1/host2host-ah/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-ah/test.conf b/testing/tests/ikev1/host2host-ah/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9647dc6..52d886d
--- a/testing/tests/ikev1/host2host-ah/test.conf
+++ b/testing/tests/ikev1/host2host-ah/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/host2host-cert/description.txt b/testing/tests/ikev1/host2host-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 6be21bf..8f7e6e9
--- a/testing/tests/ikev1/host2host-cert/description.txt
+++ b/testing/tests/ikev1/host2host-cert/description.txt
@@ -1,4 +1,6 @@
  A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e0c40ba..bd76db0
--- a/testing/tests/ikev1/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e87f207
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..021872f
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev1/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..445892f
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
+moon::sleep 1
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 55d6e9f..52d886d
--- a/testing/tests/ikev1/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun"
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/host2host-transport/description.txt b/testing/tests/ikev1/host2host-transport/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fe3482c..bc5a129
--- a/testing/tests/ikev1/host2host-transport/description.txt
+++ b/testing/tests/ikev1/host2host-transport/description.txt
@@ -1,4 +1,6 @@
-An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
-successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
-rules that let pass the decrypted IP packets. In order to test the host-to-host connection
-<b>moon</b> pings <b>sun</b>.
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 98251d1..352f6a5
--- a/testing/tests/ikev1/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f17c997
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..88ddfba
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev1/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..736e469
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
+moon::sleep 1
+\ No newline at end of file
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 5a286c8..52d886d
--- a/testing/tests/ikev1/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
@@ -6,7 +6,7 @@
  # All guest instances that are required for this test
  #
  VIRTHOSTS="moon winnetou sun"
- 
+
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/ip-pool-db/description.txt b/testing/tests/ikev1/ip-pool-db/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 364b96c..88fe5ea
--- a/testing/tests/ikev1/ip-pool-db/description.txt
+++ b/testing/tests/ikev1/ip-pool-db/description.txt
@@ -1,10 +1,11 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
-addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+payload by using the <b>vips = 0.0.0.0</b> parameter. <b>moon</b> assigns virtual IP addresses
+from a pool named <b>bigpool</b> that was created in an SQL database by the command
  <b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
  <p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
-virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to
+test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind
+the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual
+IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 925e9a1..d6aa726
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -1,38 +1,23 @@
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
  carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
  carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
  carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
  dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
  dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
  dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..886b31f
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2921311
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..886b31f
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..9a29833
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c224059..31cf56d
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
  
    plugins {
      attr-sql {
@@ -12,4 +16,5 @@ charon {
  
  pool {
    load = sqlite
+  database = sqlite:///etc/db.d/ipsec.db
  }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..31c21a7
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = big_pool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 37436a3..b18231a
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -1,9 +1,11 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del big_pool 2> /dev/null
  moon::ipsec pool --del dns 2> /dev/null
  moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c422045..448aa26
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -1,17 +1,17 @@
  moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
  moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
  moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 31820ea..5554b46
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which databases are used
  #
  DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/ip-pool/description.txt b/testing/tests/ikev1/ip-pool/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index b3f584c..a9291f8
--- a/testing/tests/ikev1/ip-pool/description.txt
+++ b/testing/tests/ikev1/ip-pool/description.txt
@@ -1,10 +1,11 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order. 
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+payload by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> assigns virtual IP addresses from a simple pool defined in the pools section
+of swanctl.conf in a monotonously increasing order.
  <p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to
+test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind
+the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual
+IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c558592..b853d70
--- a/testing/tests/ikev1/ip-pool/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -1,30 +1,17 @@
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP::YES
-moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2921311
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..9a29833
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6b5765b
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.3.0.0/28
+   }
+}
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b757d8b..eb21008
--- a/testing/tests/ikev1/ip-pool/posttest.dat
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -1,6 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev1/ip-pool/test.conf
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat

deleted file mode 100644 (file)

index 03426ac..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 8421527..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn alice
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 953fa18..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn venus
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 998fa3f..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=PH_IP_CAROL
-       rightid=carol@strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=PH_IP_DAVE
-       rightid=dave@strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat

deleted file mode 100644 (file)

index 24cd041..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat

deleted file mode 100644 (file)

index 1476785..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::expect-connection alice
-dave::expect-connection venus
-moon::expect-connection venus
-moon::ipsec up alice
-moon::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt

deleted file mode 100644 (file)

index 06f9f6b..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
-<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
-in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
-the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
-copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat

deleted file mode 100644 (file)

index dcd2717..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 43cbb47..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 0cef26c..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f6224ed..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat

deleted file mode 100644 (file)

index 24cd041..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat

deleted file mode 100644 (file)

index 4bc6a0e..0000000
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection venus
-carol::expect-connection alice
-carol::ipsec up alice
-dave::expect-connection venus
-dave::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat

deleted file mode 100644 (file)

index ede771f..0000000
--- a/testing/tests/ikev1/multi-level-ca/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
-carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
-dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 09dfafc..0000000
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 8f1609e..0000000
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index ec45854..0000000
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/ikev1/multi-level-ca/posttest.dat b/testing/tests/ikev1/multi-level-ca/posttest.dat

deleted file mode 100644 (file)

index 1646d5e..0000000
--- a/testing/tests/ikev1/multi-level-ca/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat

deleted file mode 100644 (file)

index 81b3070..0000000
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection venus
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev1/multi-level-ca/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/nat-rw/description.txt b/testing/tests/ikev1/nat-rw/description.txt

index dcf4b94bd63f4749718afde7893dd0cf37e4d925..1ee91b74ddafbeb66f1a910332fb9253eb1f359e 100644 (file)
--- a/testing/tests/ikev1/nat-rw/description.txt
+++ b/testing/tests/ikev1/nat-rw/description.txt
@@ -1,5 +1,8 @@
  The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
  tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+Authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
  ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat

index 2d265b0d1338df138039d173014eef62b5cec04b..ce6cebf3bbe34c59feef9638584af4be985adf2a 100644 (file)
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -1,16 +1,12 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  moon:: sleep 6::no output expected::NO
  bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..8f1eec2
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..7625e5066e971524e52ab4f1cd707b7258b63116 100644 (file)
--- a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2f3aee4
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      local_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e0f7810
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat

index bc7d2377107607c7beee6e0dc4d2d21556278cec..5f390cd62cde61669d9e4fd519b6bfc8c03273ca 100644 (file)
--- a/testing/tests/ikev1/nat-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -1,6 +1,6 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+sun::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  venus::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat

index 36d23b5704d593683a62caf30834163525d9ea02..a1f1cffea79e137c336077445409df93fa26e574 100644 (file)
--- a/testing/tests/ikev1/nat-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
  sun::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
  venus::expect-connection nat-t
-venus::ipsec up nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf

index f515d4bc7320398fc86e982ecd05e676e602c262..ecc95b837581aaf93af77826f00a6a4fba9bbbd1 100644 (file)
--- a/testing/tests/ikev1/nat-rw/test.conf
+++ b/testing/tests/ikev1/nat-rw/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 31d24cd..3d13a29
--- a/testing/tests/ikev1/nat-virtual-ip/description.txt
+++ b/testing/tests/ikev1/nat-virtual-ip/description.txt
@@ -1,6 +1,6 @@
  The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
  to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
-virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
-specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
-which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
-This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
+virtual IP address to router <b>moon</b>. A special <b>nat_updown</b> script on <b>moon</b>
+dynamically inserts a source NAT rule which maps the IP address of client <b>alice</b> to
+the virtual IP of <b>moon</b>. This allows <b>alice</b> to access client <b>bob</b> via the
+established IPsec tunnel.
diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index d4910ea..1d3b878
--- a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
@@ -1,5 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.4.0.1/32]::YES
  moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 28853ce..0000000
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       mobike=no
-
-conn net-net 
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsourceip=%config
-       leftupdown=/etc/nat_updown
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown

index b21e724ef7b2b05c3edce576855cac11c480043e..a3c68025770da6244e06e0020545602a5e8d0eff 100755 (executable)
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -13,7 +13,6 @@
  # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  # for more details.
  
-#
  #      PLUTO_VERSION
  #              indicates  what  version of this interface is being
  #              used.  This document describes version  1.1.   This
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6dcbf8a
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            remote_ts = 10.2.0.0/16
+
+            updown = /etc/nat_updown
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index ff030b5..0000000
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev1
-       mobike=no
-
-conn net-net 
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsourceip=10.4.0.0/24
-       auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ae2e1a8
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.4.0.0/24
+   }
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b9fbde7..131a3c2
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
  moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f46f137..6fc0281
--- a/testing/tests/ikev1/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun bob"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun bob"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-ah/description.txt b/testing/tests/ikev1/net2net-ah/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fbe4a77..18626d0
--- a/testing/tests/ikev1/net2net-ah/description.txt
+++ b/testing/tests/ikev1/net2net-ah/description.txt
@@ -1,8 +1,9 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
-is set up using the IKEv1 protocol.
-With <b>ah=sha1,sha256!</b> gateway <b>moon</b> proposes the use of <b>AH</b>.
-Gateway <b>sun</b> selects SHA2_256_128 for integrity protection with its
-<b>ah=sha256!</b> configuration.
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. With <b>ah=sha256-sha384</b>
+gateway <b>moon</b> proposes the use of <b>AH</b>. Gateway <b>sun</b> selects HMAC_SHA2_256_128
+for integrity protection with its <b>ah=sha256</b> configuration.
  <p/>
-Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
-gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ah/evaltest.dat b/testing/tests/ikev1/net2net-ah/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 34a1cde..1c5edfb
--- a/testing/tests/ikev1/net2net-ah/evaltest.dat
+++ b/testing/tests/ikev1/net2net-ah/evaltest.dat
@@ -1,11 +1,5 @@
-sun::  cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
-moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
-sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 0ddecec..0000000
--- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       keyexchange=ikev1
-       ike=aes128-sha256-modp3072!
-       ah=sha1,sha256!
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 7e78d04..32a7697
--- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 3
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6e3f0da
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256-sha384
+
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 40327a9..0000000
--- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       keyexchange=ikev1
-       ike=aes128-sha256-modp3072!
-       ah=sha256!
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 7e78d04..32a7697
--- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 3
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e20b202
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256
+        }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev1/net2net-ah/posttest.dat b/testing/tests/ikev1/net2net-ah/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev1/net2net-ah/posttest.dat
+++ b/testing/tests/ikev1/net2net-ah/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev1/net2net-ah/pretest.dat
+++ b/testing/tests/ikev1/net2net-ah/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-ah/test.conf b/testing/tests/ikev1/net2net-ah/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev1/net2net-ah/test.conf
+++ b/testing/tests/ikev1/net2net-ah/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-cert/description.txt b/testing/tests/ikev1/net2net-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 7eea919..b00bf17
--- a/testing/tests/ikev1/net2net-cert/description.txt
+++ b/testing/tests/ikev1/net2net-cert/description.txt
@@ -1,6 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index fe4aa5a..e3aeec4
--- a/testing/tests/ikev1/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f077e5c
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6053f8c
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..cc6a5bf
--- a/testing/tests/ikev1/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev1/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-esn/description.txt b/testing/tests/ikev1/net2net-esn/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 6318c55..35c8ba8
--- a/testing/tests/ikev1/net2net-esn/description.txt
+++ b/testing/tests/ikev1/net2net-esn/description.txt
@@ -1,7 +1,10 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>esp=aes128-sha256-esn!</b> gateway <b>moon</b> proposes the use of
-<b>Extended Sequence Numbers</b>. Gateway <b>sun</b> defines <b>esp=aes128-sha256-esn-noesn!</b>,
-accepting proposals with and without ESN.
+With <b>esp=aes128gcm128-esn-noesn-x25519</b> gateway <b>moon</b> proposes the use of
+<b>Extended Sequence Numbers</b> but can also live without them. Gateway <b>sun</b>
+defines <b>esp=aes128gcm128-esn-x25519</b> and thus decides on the use of ESN.
+The authentication is based on <b>X.509 certificates</b>.
  <p/>
-Upon the successful establishment of the CHILD SA with ESN, client <b>alice</b> behind
-gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b> 10 times.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-esn/evaltest.dat b/testing/tests/ikev1/net2net-esn/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 8fa6893..bc19872
--- a/testing/tests/ikev1/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev1/net2net-esn/evaltest.dat
@@ -1,17 +1,7 @@
-sun::  cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 esn=1.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 esn=1.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  sun::  ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
  moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
  alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
-sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
-
diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 6c4ad62..0000000
--- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-modp3072!
-       esp=aes128-sha256-esn!
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..ad4c18e
--- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4a989e4
--- /dev/null
+++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-esn-noesn-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 1bf040c..0000000
--- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-modp3072!
-       esp=aes128-sha256-esn-noesn!
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..ad4c18e
--- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..68fa349
--- /dev/null
+++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-esn-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/net2net-esn/posttest.dat b/testing/tests/ikev1/net2net-esn/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..cc6a5bf
--- a/testing/tests/ikev1/net2net-esn/posttest.dat
+++ b/testing/tests/ikev1/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev1/net2net-esn/pretest.dat b/testing/tests/ikev1/net2net-esn/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev1/net2net-esn/pretest.dat
+++ b/testing/tests/ikev1/net2net-esn/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-esn/test.conf b/testing/tests/ikev1/net2net-esn/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev1/net2net-esn/test.conf
+++ b/testing/tests/ikev1/net2net-esn/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat

deleted file mode 100644 (file)

index 45e76c1..0000000
--- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
-sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
-moon::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES
-moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
-moon::cat /var/log/daemon.log::received fragment #2, reassembled fragmented IKE message::YES
-sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
-sun::cat /var/log/daemon.log::received fragment #2, reassembled fragmented IKE message::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index cdd4304..0000000
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       fragmentation=yes
-
-conn net-net 
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 448525b..0000000
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev1
-       fragmentation=yes
-
-conn net-net 
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/description.txt b/testing/tests/ikev1/net2net-ntru-cert/description.txt

deleted file mode 100644 (file)

index 638a671..0000000
--- a/testing/tests/ikev1/net2net-ntru-cert/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The key exchange is based on NTRU encryption with a security strength of 256 bits.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a725ea7..0000000
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-ntru256!
-       esp=aes256-sha512!
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a7098f..0000000
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
-
-  multiple_authentication = no
-  send_vendor_id = yes
-
-  syslog {
-    daemon {
-      ike = 4
-      lib = 4
-    }
-  }
-  plugins {
-    ntru {
-      parameter_set = optimum
-    }
-  }
-}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 5cadacc..0000000
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes256-sha512-ntru256!
-       esp=aes256-sha512!
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 908adcb..0000000
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
-
-  multiple_authentication = no
-  send_vendor_id = yes
-  syslog {
-    daemon {
-      ike = 4
-      lib = 4
-    }
-  }
-}
diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 688182b..d41b2c9
--- a/testing/tests/ikev1/net2net-psk-fail/description.txt
+++ b/testing/tests/ikev1/net2net-psk-fail/description.txt
@@ -1,5 +1,4 @@
  A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
-uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the
-IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error
-notify which in turn cannot be decrypted by <b>moon</b>.
+uses a wrong PSK. Therefore the connection setup is aborted by gateway <b>sun</b>
+by sending an <b>AUTHENTICATION_FAILED</b> notify error.
diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36ad061..5a501cb
--- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
@@ -2,7 +2,5 @@ sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::
  sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES
  moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES
  moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 5917bab..0000000
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       authby=secret
-       keyexchange=ikev1
-
-conn net-net
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightsubnet=10.2.0.0/16
-       rightid=@sun.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index 38ebf96..0000000
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,4 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
-
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..359fb57
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike {
+      id-1 = moon.strongswan.org
+      id-2 = sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 8fe02b1..0000000
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       authby=secret
-       keyexchange=ikev1
-
-conn net-net
-       left=PH_IP_SUN
-       leftsubnet=10.2.0.0/16
-       leftid=@sun.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e4a4dbb
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike {
+      id-1 = moon.strongswan.org
+      id-2 =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..82a2de1
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c7e2c61..e935b95
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,9 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index eb4822b..07a3b24
--- a/testing/tests/ikev1/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
@@ -5,17 +5,21 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon winnetou sun"
+VIRTHOSTS="alice moon winnetou sun bob"
  
  # Corresponding block diagram
  #
-DIAGRAM="m-w-s.png"
-
+DIAGRAM="a-m-w-s-b.png"
+ 
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="sun"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/net2net-psk/description.txt b/testing/tests/ikev1/net2net-psk/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 02cddbb..e064a99
--- a/testing/tests/ikev1/net2net-psk/description.txt
+++ b/testing/tests/ikev1/net2net-psk/description.txt
@@ -1,6 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index fe4aa5a..e3aeec4
--- a/testing/tests/ikev1/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..ad4c18e
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..862b5d8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,54 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-1 {
+      id-1 = moon.strongswan.org
+      secret = 0x45a30759df97dc26a15b88ff
+   }
+   ike-2 {
+      id-2 = sun.strongswan.org
+      secret = "This is a strong password"
+   }
+   ike-3 {
+      id-3a = moon.strongswan.org
+      id-3b =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   ike-4 {
+      secret = 'My "home" is my "castle"!'
+   }
+   ike-5 {
+     id-5 = 192.168.0.1
+     secret = "Andi's home"
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..ad4c18e
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..94feee9
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-1 {
+      id-moon = moon.strongswan.org
+      id-sun =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev1/net2net-psk/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c7e2c61..e935b95
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -1,9 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev1/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/protoport-dual/description.txt b/testing/tests/ikev1/protoport-dual/description.txt

index 7bed8b9590d4fa84fbf15f969da55827bcb1dd7a..a93abf119ef46e63be35cca5d3425ab719c5eb25 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/description.txt
+++ b/testing/tests/ikev1/protoport-dual/description.txt
@@ -1,6 +1,8 @@
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. The established tunnels are tested
-by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
-then setting up an SSH session to the same client.
+Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
+<b>local_ts</b> and <b>remote_ts</b> child parameters, two IPsec tunnels
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
+The first CHILD_SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections.
+<p/>
+The established tunnels are tested by <b>carol</b> by first pinging <b>alice</b>
+behind <b>moon</b> and then setting up an SSH session to the same client.
diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat

index 7d367e3c158b0e711ceb505daaefbae732117c73..226f8f823ce491eda8e88233868b1611fef0ee7e 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -1,9 +1,7 @@
-carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
  carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5152031
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         icmp {
+            local_ts  = dynamic[icmp]
+            remote_ts = 10.1.0.0/16[icmp]
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+         ssh {
+            local_ts  = dynamic[tcp]
+            remote_ts = 10.1.0.0/16[tcp/ssh]
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7d96657
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         icmp {
+            local_ts  = 10.1.0.0/16[icmp]
+            remote_ts = dynamic[icmp]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+         ssh {
+            local_ts  = 10.1.0.0/16[tcp/ssh]
+            remote_ts = dynamic[tcp]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat

index 02f4aa82be2595cffef69952f327d5301ab5c02a..f0563179c1b14e7df87823b7da443b4462681f75 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -1,10 +1,10 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-icmp
-moon::expect-connection rw-ssh
-carol::expect-connection home-icmp
-carol::expect-connection home-ssh
-carol::ipsec up home-icmp
-carol::ipsec up home-ssh
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection icmp
+moon::expect-connection ssh
+carol::expect-connection icmp
+carol::expect-connection ssh
+carol::swanctl --initiate --child icmp 2> /dev/null
+carol::swanctl --initiate --child ssh 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev1/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/rw-cert-aggressive/description.txt b/testing/tests/ikev1/rw-cert-aggressive/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 1c4535c..24739f8
--- a/testing/tests/ikev1/rw-cert-aggressive/description.txt
+++ b/testing/tests/ikev1/rw-cert-aggressive/description.txt
@@ -1,7 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+he roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication is
-based on <b>X.509 certificates</b>. Upon the successful establishment of the IPsec
-tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
-rules that let pass the tunneled traffic. In order to test both tunnel and
-firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind
-the gateway <b>moon</b>.
+based on <b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index be78c51..0876d5b
--- a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
@@ -1,15 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index afa1641..0000000
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index cf4c1eb..ad4c18e
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  syslog {
-    daemon {
-      job = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f69cf2b
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 51a2e57..0000000
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index f09c279..ad4c18e
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  syslog {
-    daemon {
-      job = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..dde611a
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 49d0909..0000000
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..cba188e
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-cert-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/rw-cert-unity/description.txt b/testing/tests/ikev1/rw-cert-unity/description.txt

index 5e887c7f4f2ddc80146c80e3fb9f55c019d13f2c..c33fbbcaa4a3f5eac6bc81c792e262451fe35160 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/description.txt
+++ b/testing/tests/ikev1/rw-cert-unity/description.txt
@@ -1,6 +1,8 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
  The authentication is based on <b>X.509 certificates</b>. <b>carol</b>
-requests a virtual IP using <b>leftsourceip=%config</b> and indicates
+requests a virtual IP using the <b>vips = 0.0.0.0</b> parameter and indicates
  support for the Cisco Unity extension. Gateway <b>moon</b> responds with
-two Split-Include subnets configured in the <b>leftsubnet</b> definition and a
+two Split-Include subnets configured in the <b>local_ts</b> definition and a
  global Local-LAN exclude option defined in strongswan.conf.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat

index ff13f5f0df16cd8327ad2397f98f2cf033c7017c..967cca10d366ed8bf8b53a60094f939d490634d9 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
@@ -1,8 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES
-carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::cat /var/log/daemon.log::received Cisco Unity vendor ID::YES
+moon::cat /var/log/daemon.log::sending UNITY_SPLIT_INCLUDE: 10.1.0.0/16 10.2.1.0/24::YES
+carol::cat /var/log/daemon.log::received Cisco Unity vendor ID::YES
+carol::cat /var/log/daemon.log::narrowed CHILD_SA to UNITY_SPLIT_INCLUDE 10.1.0.0/16 10.2.1.0/24::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.2.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.1.1/32] remote-ts=\[10.1.0.0/16 10.2.1.0/24]::YES
+carol::swanctl --list-pols --raw 2> /dev/null::unity/Unity (home\[1]: 192.168.0.0/24).*child=Unity (home\[1]: 192.168.0.0/24) ike=unity mode=PASS local-ts=\[192.168.0.100/32 10.2.1.1/32] remote-ts=\[192.168.0.0/24::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.2.1.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 10.2.1.0/24] remote-ts=\[10.2.1.1/32]::YES
+carol::ping -c 1 10.1.0.10::64 bytes from 10.1.0.10: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index bad6281..0000000
--- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftsourceip=%config
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=0.0.0.0/0
-       auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf

index 5df879c6b0015b7e134ea950d4bed5abe06f0403..c1da276ad3d08d1c3526e2c6ce016fad53b0bfae 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default unity
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default unity
+
    cisco_unity = yes
  }
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..38561d9
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 0.0.0.0/0
+            esp_proposals =aes128gcm16-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index ee8ee90..0000000
--- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16,10.2.1.0/24
-       right=%any
-       rightsourceip=10.2.1.0/24
-       auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf

index b925166b93d82cb9331593664b4a006afb0057be..62bd0dd0708cf51bdec23ff3656b96fe355f6d6b 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default attr unity
-  cisco_unity = yes
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default attr unity
  
+  cisco_unity = yes
    plugins {
      attr {
        split-exclude = 192.168.0.0/24
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f18f310
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts = 10.1.0.0/16,10.2.1.0/24
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.2.1.0/24
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert-unity/posttest.dat b/testing/tests/ikev1/rw-cert-unity/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf

index 09e6f6cdbfe77c6280bd6c28656c9757c0406b57..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev1/rw-cert-unity/test.conf
+++ b/testing/tests/ikev1/rw-cert-unity/test.conf
@@ -9,7 +9,7 @@ VIRTHOSTS="alice moon carol winnetou"
  
  # Corresponding block diagram
  #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 15b3822..f190c07
--- a/testing/tests/ikev1/rw-cert/description.txt
+++ b/testing/tests/ikev1/rw-cert/description.txt
@@ -1,6 +1,7 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index be78c51..0c1525f
--- a/testing/tests/ikev1/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 57498d5..aeb1b75
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-
-  integrity_test = yes
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  crypto_test {
-    on_add = yes
-  }
+charon-systemd {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c357054
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 57498d5..aeb1b75
--- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-
-  integrity_test = yes
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  crypto_test {
-    on_add = yes
-  }
+charon-systemd {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..05fc9ae
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 57498d5..f12797e
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  
    integrity_test = yes
  
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..91d8af3
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/rw-cert/posttest.dat
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 4780041..d8ad8b7
--- a/testing/tests/ikev1/rw-initiator-only/description.txt
+++ b/testing/tests/ikev1/rw-initiator-only/description.txt
@@ -4,7 +4,7 @@ she ignores the repeated IKE requests sent by <b>dave</b>.
  <p/>
  After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
  connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
+<p/>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c5dc4a0..5662ec5
--- a/testing/tests/ikev1/rw-initiator-only/evaltest.dat
+++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
@@ -1,8 +1,6 @@
  dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 5891439..0000000
--- a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ff775e5..7bb3ff7
--- a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  
    initiator_only = yes
  }
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..9825cb0
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index b262ecb..0000000
--- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn peer
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_CAROL
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c58fdbc..ad4c18e
--- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bb983cd
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   peer {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+      children {
+         peer {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 4c5df88..0000000
--- a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekey=no
-       keyexchange=ikev1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c58fdbc..ad4c18e
--- a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..91d8af3
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..e5c82ef
--- a/testing/tests/ikev1/rw-initiator-only/posttest.dat
+++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 9317b0f..71675c4
--- a/testing/tests/ikev1/rw-initiator-only/pretest.dat
+++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-dave::expect-connection peer
-dave::ipsec up peer
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
+dave::expect-connection peer
+dave::swanctl --initiate --child peer 2> /dev/null
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-initiator-only/test.conf
+++ b/testing/tests/ikev1/rw-initiator-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/description.txt b/testing/tests/ikev1/rw-multi-ciphers/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/description.txt

rename to testing/tests/ikev1/rw-multi-ciphers/description.txt
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat b/testing/tests/ikev1/rw-multi-ciphers/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat

rename to testing/tests/ikev1/rw-multi-ciphers/evaltest.dat
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/ikev1/rw-multi-ciphers/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/config-payload/posttest.dat

rename to testing/tests/ikev1/rw-multi-ciphers/posttest.dat
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat b/testing/tests/ikev1/rw-multi-ciphers/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat

rename to testing/tests/ikev1/rw-multi-ciphers/pretest.dat
diff --git a/testing/tests/swanctl/manual-prio/test.conf b/testing/tests/ikev1/rw-multi-ciphers/test.conf

similarity index 100%

rename from testing/tests/swanctl/manual-prio/test.conf

rename to testing/tests/ikev1/rw-multi-ciphers/test.conf
diff --git a/testing/tests/ikev1/rw-ntru-psk/description.txt b/testing/tests/ikev1/rw-ntru-psk/description.txt

deleted file mode 100644 (file)

index 40cdd18..0000000
--- a/testing/tests/ikev1/rw-ntru-psk/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
-192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on strong
-preshared keys (PSKs).
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 mode-config payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order. 
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 315aa10..0000000
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-ntru128!
-       esp=aes128-sha256!
-       authby=psk
-
-conn home
-       left=PH_IP_CAROL
-       leftsourceip=%config
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index c168b51..0000000
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes192-sha384-ntru192!
-       esp=aes192-sha384!
-       authby=psk
-
-conn home
-       left=PH_IP_DAVE
-       leftsourceip=%config
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 2194db5..0000000
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
-       esp=aes128-sha256,aes192-sha384!
-       authby=psk
-
-conn rw-carol
-       also=rw
-       right=PH_IP_CAROL
-       rightid=carol@strongswan.org
-       auto=add
-
-conn rw-dave
-       also=rw
-       right=PH_IP_DAVE
-       rightid=dave@strongswan.org
-       auto=add
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=moon.strongswan.org
-       leftfirewall=yes
-       rightsourceip=10.3.0.0/28
diff --git a/testing/tests/ikev1/rw-psk-aggressive/description.txt b/testing/tests/ikev1/rw-psk-aggressive/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 32a476e..0602b41
--- a/testing/tests/ikev1/rw-psk-aggressive/description.txt
+++ b/testing/tests/ikev1/rw-psk-aggressive/description.txt
@@ -1,7 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication
  is based on distinct <b>pre-shared keys</b> and <b>Fully Qualified Domain Names</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the
-client <b>alice</b> behind the gateway <b>moon</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 849d59a..0876d5b
--- a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
@@ -1,14 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index fe086b8..0000000
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       authby=secret
-       aggressive=yes
-       
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bb9dbb0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+}
+
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index df28872..0000000
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       authby=secret
-       aggressive=yes
-       
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5282f42
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index cb8a0cd..0000000
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       authby=secret
-       aggressive=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index bcafd86..cdab41d
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes
  }
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..487160b
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-carol {
+      id = carol@strongswan.org
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+   ike-dave {
+      id = dave@strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ee5bc7c..b0d3b61
--- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -1,14 +1,15 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-psk-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 47f6968..237e2ce
--- a/testing/tests/ikev1/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt
@@ -1,6 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test both tunnel and firewall, both
+and <b>Fully Qualified Domain Names</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
  <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 4dfc92f..c2d2af1
--- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
@@ -1,14 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..56a6c00
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+      secret = 0x16964066a10de938bdb2ab7864fe4459cab1
+   }
+}
+
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6855999
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index e3dd0fb..0000000
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
-
-@moon.strongswan.org dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2cab3d6
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,62 @@
+connections {
+
+   rw-carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+
+   rw-dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-carol {
+      id = carol@strongswan.org
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+   ike-dave {
+      id = dave@strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 0fb389d..b0d3b61
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -1,15 +1,15 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/ikev1/rw-psk-ip-ranges/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/description.txt

rename to testing/tests/ikev1/rw-psk-ip-ranges/description.txt
diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/evaltest.dat

rename to testing/tests/ikev1/rw-psk-ip-ranges/evaltest.dat
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/ip-pool/posttest.dat

rename to testing/tests/ikev1/rw-psk-ip-ranges/posttest.dat
diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/pretest.dat

rename to testing/tests/ikev1/rw-psk-ip-ranges/pretest.dat
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf b/testing/tests/ikev1/rw-psk-ip-ranges/test.conf

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf

rename to testing/tests/ikev1/rw-psk-ip-ranges/test.conf
diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index b4aaa6a..5faf171
--- a/testing/tests/ikev1/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt
@@ -1,6 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test both tunnel and firewall, both
+and <b>IPv4</b> addresses.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
  <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 4e08d59..75a1741
--- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
@@ -1,14 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..3f3e98d
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = 192.168.0.100
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.1
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = 192.168.0.1
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+}
+
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..df4ccba
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = 192.168.0.200
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.1
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = 192.168.0.1
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..0325fe9
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..eb593da
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,58 @@
+connections {
+
+   rw-carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = psk
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+
+   rw-dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = psk
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-carol {
+      id = 192.168.0.100
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+   ike-dave {
+      id = 192.168.0.200
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 0fb389d..b0d3b61
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -1,15 +1,15 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-id-psk-config/description.txt b/testing/tests/ikev1/xauth-id-psk-config/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fc417e4..1f202a2
--- a/testing/tests/ikev1/xauth-id-psk-config/description.txt
+++ b/testing/tests/ikev1/xauth-id-psk-config/description.txt
@@ -1,11 +1,11 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%config</b>
-parameter. The virtual IP addresses are registered under the users' XAUTH identity. 
+The authentication is based on Pre-Shared Keys (<b>PSK</b>) followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names and passwords.
+Next <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config protocol
+by using the <b>vips = 0.0.0.0</b> parameter.
+The virtual IP addresses are registered under the users' XAUTH identity.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 210072e..389b3a4
--- a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
@@ -1,11 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
  moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
@@ -18,7 +14,3 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index d6dcd99..d274a81
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..257267d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,42 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local-psk {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+         xauth_id = carol
+      }
+      remote-psk {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth {
+      id = carol
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index d6dcd99..d274a81
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5321a90
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,42 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local-psk {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+         xauth_id = dave
+      }
+      remote-rsa {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 4f0b4be..d274a81
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  dns1 = 192.168.0.150
-  dns2 = 10.1.0.20
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1ad6a27
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,54 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol-vip
+
+      remote-psk {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      remote-xauth {
+         auth = xauth
+         xauth_id = carol
+       }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave-vip
+
+     remote-rsa {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      remote-xauth {
+         auth = xauth
+         xauth_id = dave
+       }
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth-carol {
+      id = carol
+      secret = 4iChxLT3
+   }
+   xauth-dave {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+
+pools {
+   carol-vip {
+      addrs = 10.3.0.1
+   }
+   dave-vip {
+      addrs = 10.3.0.2
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf

new file mode 100644 (file)

index 0000000..649b527
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,16 @@
+      local_addrs  = 192.168.0.1
+
+      local-psk {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b757d8b..eb21008
--- a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
@@ -1,6 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ee5bc7c..dc7b5f7
--- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -1,14 +1,16 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9b1ec0b..1227b9d
--- a/testing/tests/ikev1/xauth-id-psk-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="alice moon"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 90209c2..f8016c4
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
@@ -1,11 +1,10 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
-using <b>IKEv1 Aggressive Mode</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
-respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+he roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Aggressive Mode</b>. The authentication is based on RSA signatures
+using X.509 certificates followed by extended authentication (<b>XAUTH</b>) of
+<b>carol</b> and <b>dave</b> based on user names defined by the <b>xauth_identity</b>
+and corresponding user passwords defined and stored in ipsec.secrets.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b482ddb..10326fc
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
@@ -1,11 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 09308ef..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftauth=pubkey
-       leftauth2=xauth
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightauth=pubkey
-       xauth_identity=carol
-       auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..734689a
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+         xauth_id = carol
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = carol
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 8cc9f68..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftauth=pubkey
-       leftauth2=xauth
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightauth=pubkey
-       xauth_identity=dave
-       auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6a49294
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+         xauth_id = dave
+       }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 2a27145..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-       aggressive=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftauth=pubkey
-       leftfirewall=yes
-       right=%any
-       rightauth=pubkey
-       rightauth2=xauth
-       auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf

similarity index 62%

rename from testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf

index f71bea1d1afa3886c900df516b1679081365bdbb..8addb191be3e25b100019ad6c8e5ef6cae8e911b 100755 (executable)
--- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf
@@ -3,27 +3,28 @@ connections {
     rw {
        local_addrs  = 192.168.0.1
  
-      local {
+      local-rsa {
           auth = pubkey
           certs = moonCert.pem
           id = moon.strongswan.org
        }
-      remote {
+      remote-rsa {
           auth = pubkey
        }
        remote-xauth {
           auth = xauth
-      }
+       }
        children {
           net {
-            local_ts  = 10.1.0.0/16 
+            local_ts  = 10.1.0.0/16
  
              updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-x25519
           }
        }
-      version = 1 
-      proposals = aes128-sha256-modp3072
+      version = 1
+      aggressive = yes
+      proposals = aes128-sha256-x25519
     }
  }
  
@@ -31,10 +32,10 @@ secrets {
  
     xauth-carol {
        id = carol
-      secret = "4iChxLT3" 
+      secret = 4iChxLT3
     }
     xauth-dave {
        id = dave
-      secret = "ryftzG4A"
+      secret = ryftzG4A
     }
-}
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/description.txt b/testing/tests/ikev1/xauth-id-rsa-config/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index feb154d..91b595f
--- a/testing/tests/ikev1/xauth-id-rsa-config/description.txt
+++ b/testing/tests/ikev1/xauth-id-rsa-config/description.txt
@@ -1,12 +1,12 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
-respectively) and corresponding user passwords defined and stored in ipsec.secrets.
-Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config
-protocol by using the <b>leftsourceip=%config</b> parameter.
+The authentication is based on RSA signatures using X.509 certificates followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names defined
+by the <b>xauth_id</b> parameter carol and dave, respectively and corresponding user passwords
+defined and stored in the secrets section of swanctl.conf.
+Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config
+protocol by using the <b>vips = 0.0.0.0</b> parameter.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 13e4b26..389b3a4
--- a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
@@ -1,11 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
  moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 29492b5..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf

similarity index 58%

rename from testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf

index ddfe896fb9d07ce26a43e2217b4ca33d483494d3..c10a874c54e6a0a0a99d06d770659a9738bc1aba 100755 (executable)
--- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,9 +2,10 @@ connections {
  
     home {
        local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
  
-      local {
+      local-rsa {
           auth = pubkey
           certs = carolCert.pem
           id = carol@strongswan.org
@@ -13,27 +14,27 @@ connections {
           auth = xauth
           xauth_id = carol
        }
-      remote {
+      remote-rsa {
           auth = pubkey
-         id = moon.strongswan.org 
+         id = moon.strongswan.org
        }
        children {
           home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
  
              updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-x25519
           }
        }
-      version = 1 
-      proposals = aes128-sha256-modp3072
+      version = 1
+      proposals = aes128-sha256-x25519
     }
  }
  
  secrets {
  
-   xauth-carol {
+   xauth {
        id = carol
-      secret = "4iChxLT3" 
+      secret = 4iChxLT3
     }
-}
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 8cf7db5..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
-
-dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf

similarity index 58%

rename from testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf

index 61ca64db3758eeefcf43dc07081d6fea44488be5..5cbb4046d1ab945dafcbc85781ee4e35195c11e8 100755 (executable)
--- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,9 +2,10 @@ connections {
  
     home {
        local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
  
-      local {
+      local-rsa {
           auth = pubkey
           certs = daveCert.pem
           id = dave@strongswan.org
@@ -13,27 +14,27 @@ connections {
           auth = xauth
           xauth_id = dave
        }
-      remote {
+      remote-rsa {
           auth = pubkey
-         id = moon.strongswan.org 
+         id = moon.strongswan.org
        }
        children {
           home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
  
              updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-x25519
           }
        }
-      version = 1 
-      proposals = aes128-sha256-modp3072
+      version = 1
+      proposals = aes128-sha256-x25519
     }
  }
  
  secrets {
  
-   xauth-dave {
+   xauth {
        id = dave
-      secret = "ryftzG4A"
+      secret = ryftzG4A
     }
-}
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d8c2bd5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,51 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol-vip
+
+      remote-rsa {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+      remote-xauth {
+         auth = xauth
+         xauth_id = carol
+       }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave-vip
+
+     remote-rsa {
+         auth = pubkey
+         id = dave@strongswan.org
+      }
+      remote-xauth {
+         auth = xauth
+         xauth_id = dave
+       }
+   }
+}
+
+secrets {
+
+   xauth-carol {
+      id = carol
+      secret = 4iChxLT3
+   }
+   xauth-dave {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+
+pools {
+   carol-vip {
+      addrs = 10.3.0.1
+   }
+   dave-vip {
+      addrs = 10.3.0.2
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf

new file mode 100644 (file)

index 0000000..909383b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,17 @@
+      local_addrs  = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 2eddae2..3b4b22d
--- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -1,12 +1,13 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
-moon::expect-connection rw-dave
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/xauth-id-rsa-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 88351ff..1cab584
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
@@ -5,7 +5,7 @@ followed by an extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dav
  based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
  respectively) and corresponding user passwords defined and stored in ipsec.secrets.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b482ddb..389b3a4
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..03790ca
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local-xauth {
+         auth = xauth
+         id = carol@strongswan.org
+         xauth_id = carol
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = carol
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..60e8c4c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local-xauth {
+         auth = xauth
+         id = dave@strongswan.org
+         xauth_id = dave
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index bd9b0db..0000000
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol : XAUTH "4iChxLT3"
-
-dave : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2d48f2e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol-vip
+
+      remote-xauth {
+         auth = xauth
+         xauth_id = carol
+       }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave-vip
+
+      remote-xauth {
+         auth = xauth
+         xauth_id = dave
+       }
+   }
+}
+
+secrets {
+
+   xauth-carol {
+      id = carol
+      secret = 4iChxLT3
+   }
+   xauth-dave {
+      id = dave
+      secret = ryftzG4A
+   }
+}
+
+pools {
+   carol-vip {
+      addrs = 10.3.0.1
+   }
+   dave-vip {
+      addrs = 10.3.0.2
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf

new file mode 100644 (file)

index 0000000..909383b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,17 @@
+      local_addrs  = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..c519eec
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -1,11 +1,15 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw-dave
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-psk/description.txt b/testing/tests/ikev1/xauth-psk/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 0ac2043..b66f044
--- a/testing/tests/ikev1/xauth-psk/description.txt
+++ b/testing/tests/ikev1/xauth-psk/description.txt
@@ -1,9 +1,8 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>) followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names and passwords.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 90cf05c..4929f0a
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -1,11 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 73a4271..d274a81
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b384e59
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local-psk {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote-psk {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 73a4271..d274a81
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..41311c7
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local-psk {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+       }
+      remote-psk {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth {
+      id = dave@strongswan.org
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 73a4271..d274a81
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..90f6abb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,42 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local-psk {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote-psk {
+         auth = psk
+      }
+      remote-xauth {
+         auth = xauth
+       }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-group {
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   xauth-carol {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+   xauth-dave {
+      id = dave@strongswan.org
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ee5bc7c..12ad60e
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index a586a14..04ae527
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
@@ -1,8 +1,13 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
-equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
-defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> starts
-an EAP-RADIUS connection with AAA server <b>alice</b> and uses <b>carol</b>'s 
-forwarded XAUTH user credentials for an EAP-MD5 based client authentication with
-<b>alice</b>.
+The authentication is based on RSA signatures using X.509 certificates followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name equal to the <b>IKEv1</b> identity
+carol@strongswan.org and a user password defined and stored by <b>carol</b> in  the secrets
+section of swanctl.conf.
+<p/>
+Gateway <b>moon</b> delegates the EAP-MD5 based verification of <b>carol</b>'s XAUTH user
+credentials to the RADIUS server <b>alice</b>.
+<p>
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1d023f3..10009c7
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -1,10 +1,6 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES
-moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..38a3077
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 5701b7a..0000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftcert=moonCert.pem
-       leftauth=pubkey
-       leftfirewall=yes
-       right=%any
-       rightauth=pubkey
-       rightauth2=xauth-eap
-       auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 41fa522..a16a128
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-md5 xauth-eap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-md5 eap-radius xauth-eap kernel-netlink socket-default updown vici
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..173d96d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote-rsa {
+         auth = pubkey
+      }
+      remote-xauth {
+         auth = xauth-eap
+       }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 4361417..f4d215f
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,7 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 377aedf..d9ea2ec
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,8 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index eb1e15d..0d9e9f3
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fb30d16..87ca2ed
--- a/testing/tests/ikev1/xauth-rsa-radius/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt
@@ -1,7 +1,13 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
-equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
-defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> verifies
-<b>carol</b>'s XAUTH user credentials using a RADIUS connection with AAA server
-<b>alice</b>.
+The authentication is based on RSA signatures using X.509 certificates followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name equal to the <b>IKEv1</b> identity
+carol@strongswan.org and a user password defined and stored by <b>carol</b> in  the secrets
+section of swanctl.conf.
+<p/>
+Gateway <b>moon</b> delegates the verification of <b>carol</b>'s XAUTH user credentials to
+the RADIUS server <b>alice</b>.
+<p>
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 7e11d2a..10009c7
--- a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
@@ -1,9 +1,6 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES
-moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 2fdd60f..0000000
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftauth=pubkey
-       leftauth2=xauth
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index d66f3fc..0000000
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-carol@strongswan.org : XAUTH "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..38a3077
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f4ee067..0000000
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftcert=moonCert.pem
-       leftauth=pubkey
-       leftfirewall=yes
-       right=%any
-       rightauth=pubkey
-       rightauth2=xauth-radius
-       auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 2f8caca..88d80fc
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-radius kernel-netlink socket-default updown vici
  
    plugins {
      eap-radius {
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d6dea89
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote-rsa {
+         auth = pubkey
+      }
+      remote-xauth {
+         auth = xauth-radius
+       }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 4361417..f4d215f
--- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -1,5 +1,7 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 377aedf..d9ea2ec
--- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -1,8 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index b4088e8..0d9e9f3
--- a/testing/tests/ikev1/xauth-rsa-radius/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol"
  # Guest instances on which FreeRadius is started
  #
  RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index a9b76b6..cccf975
--- a/testing/tests/ikev1/xauth-rsa/description.txt
+++ b/testing/tests/ikev1/xauth-rsa/description.txt
@@ -1,11 +1,10 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names equal to the <b>IKEv1 identity</b> (<b>carol@strongswan.org</b> and
-<b>dave@strongswan.org</b>, respectively) and corresponding user passwords defined and
-stored in ipsec.secrets.
+The authentication is based on RSA signatures using X.509 certificates followed by extended
+authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names equal to
+the <b>IKEv1 identities</b> carol@strongswan.org and dave@strongswan.org, respectively and
+corresponding user passwords defined and stored in the secrets section of swanctl.conf.
  <p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
  <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 90cf05c..4929f0a
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -1,11 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
  moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 2fdd60f..0000000
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftauth=pubkey
-       leftauth2=xauth
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 4a77c3b..0000000
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b635720..d274a81
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..38a3077
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..594df12
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+       }
+      remote-rsa {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth {
+      id = dave@strongswan.org
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index e3bada0..d274a81
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f41d48f
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local-rsa {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote-rsa {
+         auth = pubkey
+      }
+      remote-xauth {
+         auth = xauth
+       }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   xauth-carol {
+      id = carol@strongswan.org
+      secret = 4iChxLT3
+   }
+   xauth-dave {
+      id = dave@strongswan.org
+      secret = ryftzG4A
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev1/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev1/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/description.txt b/testing/tests/ikev2-algs/alg-3des-md5/description.txt

new file mode 100644 (file)

index 0000000..5f6a866
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3des-md5-modp1024</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat b/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat

new file mode 100644 (file)

index 0000000..f9f9e4d
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ea3f5d0
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =3des-md5-modp1024
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..16c11ba
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = 3des-md5-modp1024
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat b/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat b/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-3des-md5/test.conf b/testing/tests/ikev2-algs/alg-3des-md5/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-3des-md5/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/description.txt b/testing/tests/ikev2-algs/alg-aes-ccm/description.txt

new file mode 100644 (file)

index 0000000..cbed96d
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>aes128ccm12-aesxcbc-x25519</b> and the ESP cipher suite <b>aes128ccm12-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat

new file mode 100644 (file)

index 0000000..dc4ca4c
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CCM_12 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CCM_12 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1d7302e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..65b8b2e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128ccm12-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128ccm12-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1d7302e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6936ed7
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128ccm12-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128ccm12-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/test.conf b/testing/tests/ikev2-algs/alg-aes-ccm/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ccm/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/description.txt b/testing/tests/ikev2-algs/alg-aes-ctr/description.txt

new file mode 100644 (file)

index 0000000..64dbec7
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>aes128ctr-aesxcbc-x25519</b> and the ESP cipher suite <b>aes128ct-aesxcbc-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat

new file mode 100644 (file)

index 0000000..964f128
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CTR encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CTR encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0cb2f17
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..01a0912
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128ctr-aesxcbc-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128ctr-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0cb2f17
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..48b6ec5
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128ctr-aesxcbc-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128ctr-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/test.conf b/testing/tests/ikev2-algs/alg-aes-ctr/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-ctr/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/description.txt b/testing/tests/ikev2-algs/alg-aes-gcm/description.txt

new file mode 100644 (file)

index 0000000..732554a
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>aes128gcm16-aesxcbc-x25519</b> and the ESP cipher suite <b>aes128gcm16-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat

new file mode 100644 (file)

index 0000000..b7a83d3
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_GCM_16 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_GCM_16 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..891b8c8
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7945b6e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128gcm16-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..891b8c8
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..567a834
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm16-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128gcm16-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/test.conf b/testing/tests/ikev2-algs/alg-aes-gcm/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-gcm/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt b/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt

new file mode 100644 (file)

index 0000000..273114f
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128-aesxcbc-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat

new file mode 100644 (file)

index 0000000..05e2417
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..4ad5641
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..111773c
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-aesxcbc-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..4ad5641
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6819ced
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-aesxcbc-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-aesxcbc-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev2-algs/alg-blowfish/description.txt

similarity index 58%

rename from testing/tests/ikev1/alg-blowfish/description.txt

rename to testing/tests/ikev2-algs/alg-blowfish/description.txt

index 24b50b909be311f221d409ff3e26f84759be5399..47f559ba7a0206f4710368510ee427593d8a5c6e 100644 (file)
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev2-algs/alg-blowfish/description.txt
@@ -1,6 +1,5 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP encryption.
+<p/>
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat b/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat

new file mode 100644 (file)

index 0000000..b3d63b4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat
@@ -0,0 +1,12 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 192::YES
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..541ca82
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish128-sha256-modp1536
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = blowfish128-sha256-modp1536
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..126bbde
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = blowfish256-sha512-modp2048
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a3e8fd
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..75598e1
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048,blowfish128-sha256-modp1536
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = blowfish256-sha512-modp2048,blowfish128-sha256-modp1536
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-blowfish/posttest.dat b/testing/tests/ikev2-algs/alg-blowfish/posttest.dat

new file mode 100644 (file)

index 0000000..86f2972
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/posttest.dat
@@ -0,0 +1,3 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-blowfish/pretest.dat b/testing/tests/ikev2-algs/alg-blowfish/pretest.dat

new file mode 100644 (file)

index 0000000..6020ff4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-blowfish/pretest.dat
@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/rw-cert-ppk/test.conf b/testing/tests/ikev2-algs/alg-blowfish/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/test.conf

rename to testing/tests/ikev2-algs/alg-blowfish/test.conf
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt b/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt

new file mode 100644 (file)

index 0000000..0c66fb5
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>chacha20poly1305-prfsha256-x25519</b> and the ESP cipher suite <b>chacha20poly1305-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat

new file mode 100644 (file)

index 0000000..b7025ad
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CHACHA20_POLY1305 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=CHACHA20_POLY1305.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CHACHA20_POLY1305 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=CHACHA20_POLY1305.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
+carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf

similarity index 59%

rename from testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf

index c7b494ddca5b9a0a2b14098ad9a701ed63059560..ab9907d6980220731b59a70a8f862adf931392a3 100644 (file)
--- a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+charon {
+  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..508e084
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = chacha20poly1305-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = chacha20poly1305-prfsha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..ab9907d
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..78e3184
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = chacha20poly1305-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = chacha20poly1305-prfsha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/alg-modp-subgroup/description.txt b/testing/tests/ikev2-algs/alg-modp-subgroup/description.txt

similarity index 76%

rename from testing/tests/ikev2/alg-modp-subgroup/description.txt

rename to testing/tests/ikev2-algs/alg-modp-subgroup/description.txt

index cb7d117201b696c98f0b9818cb267e25cd00923d..ff497bebf64390f6b6574b2a03593571f37227eb 100644 (file)
--- a/testing/tests/ikev2/alg-modp-subgroup/description.txt
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/description.txt
@@ -1,4 +1,4 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b> using the <b>MODP Diffie-Hellman Groups 22, 23, and 24</b>
  with <b>Prime Order Subgroups</b>.
  <p/>
@@ -7,8 +7,5 @@ with <b>Prime Order Subgroups</b>.
  Since <b>moon</b> does not support MODP_2048_224 the roadwarriors fall back to
  MODP_1024_160 and MODP_2048_256, respectively.
  <p/>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat

new file mode 100644 (file)

index 0000000..a15971c
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

similarity index 70%

rename from testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

index be00a11eb21f7218f2a810cbf63fccb56a365528..1a3653375f7ff2ed94967fb9adebf0440225d682 100644 (file)
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ce3cc9a
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha1
+         }
+      }
+      version = 2
+      proposals = aes128-sha1-modp2048s224,aes128-sha1-modp1024s160
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1a36533
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c88500c
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp2048s224,aes128-sha256-modp2048s256
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1a36533
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f50cd55
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-sha1
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp2048s256,aes128-sha1-modp1024s160
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat

new file mode 100644 (file)

index 0000000..86f2972
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat
@@ -0,0 +1,3 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat

new file mode 100644 (file)

index 0000000..6020ff4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat
@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/rw-cert-pss/test.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/test.conf

rename to testing/tests/ikev2-algs/alg-modp-subgroup/test.conf
diff --git a/testing/tests/ikev2-algs/alg-sha256/description.txt b/testing/tests/ikev2-algs/alg-sha256/description.txt

new file mode 100644 (file)

index 0000000..d50811d
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128-sha256-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-sha256/evaltest.dat b/testing/tests/ikev2-algs/alg-sha256/evaltest.dat

new file mode 100644 (file)

index 0000000..ca5b455
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..80e41a4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0fc6d9e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha256/posttest.dat b/testing/tests/ikev2-algs/alg-sha256/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-sha256/pretest.dat b/testing/tests/ikev2-algs/alg-sha256/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-sha256/test.conf b/testing/tests/ikev2-algs/alg-sha256/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha256/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-sha384/description.txt b/testing/tests/ikev2-algs/alg-sha384/description.txt

new file mode 100644 (file)

index 0000000..6e844c6
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes192-sha384-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-sha384/evaltest.dat b/testing/tests/ikev2-algs/alg-sha384/evaltest.dat

new file mode 100644 (file)

index 0000000..9274954
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6a4f402
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes192-sha384-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes192-sha384-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bf2f9e4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes192-sha384-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes192-sha384-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha384/posttest.dat b/testing/tests/ikev2-algs/alg-sha384/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-sha384/pretest.dat b/testing/tests/ikev2-algs/alg-sha384/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-sha384/test.conf b/testing/tests/ikev2-algs/alg-sha384/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha384/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/alg-sha512/description.txt b/testing/tests/ikev2-algs/alg-sha512/description.txt

new file mode 100644 (file)

index 0000000..0668edc
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes256-sha512-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/alg-sha512/evaltest.dat b/testing/tests/ikev2-algs/alg-sha512/evaltest.dat

new file mode 100644 (file)

index 0000000..beed20e
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..8a455f7
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes256-sha512-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..eb37732
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes256-sha512-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes256-sha512-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/alg-sha512/posttest.dat b/testing/tests/ikev2-algs/alg-sha512/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/alg-sha512/pretest.dat b/testing/tests/ikev2-algs/alg-sha512/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/alg-sha512/test.conf b/testing/tests/ikev2-algs/alg-sha512/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/alg-sha512/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt

new file mode 100644 (file)

index 0000000..9cea5fa
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128gmac-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat

new file mode 100644 (file)

index 0000000..5757697
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6865de6
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f6d2283
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gmac-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6865de6
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f59b715
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gmac-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt b/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt

new file mode 100644 (file)

index 0000000..fa3f21f
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3des-md5_128-modp1024</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat

new file mode 100644 (file)

index 0000000..9f001e0
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(md5).* 128::YES
+carol::ip xfrm state::auth-trunc hmac(md5).* 128::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..214a965
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =3des-md5_128-modp1024
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..19c3892
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..06ce2dc
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = 3des-md5_128-modp1024
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-md5-modp1024
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/esp-alg-null/description.txt b/testing/tests/ikev2-algs/esp-alg-null/description.txt

new file mode 100644 (file)

index 0000000..064906b
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>null-sha256-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat

new file mode 100644 (file)

index 0000000..1ce217d
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c644187
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = null-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d42a980
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..a3bf3e0
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = null-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-null/posttest.dat b/testing/tests/ikev2-algs/esp-alg-null/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/esp-alg-null/pretest.dat b/testing/tests/ikev2-algs/esp-alg-null/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/esp-alg-null/test.conf b/testing/tests/ikev2-algs/esp-alg-null/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-null/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt b/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt

new file mode 100644 (file)

index 0000000..99c9b0e
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3des-sha1_160-modp2048</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat

new file mode 100644 (file)

index 0000000..cacfcac
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_160.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_160.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha1).* 160::YES
+carol::ip xfrm state::auth-trunc hmac(sha1).* 160::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 188::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 188::YES
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..08f5358
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..84811ca
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =3des-sha1_160-modp2048
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-sha1-modp2048
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..08f5358
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..d0728d1
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = 3des-sha1_160-modp2048
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = 3des-sha1-modp2048
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt

similarity index 50%

rename from testing/tests/ikev1/esp-alg-aes-ccm/description.txt

rename to testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt

index 40cc821283098dac2eddf5c055237d9b7fb6edd8..46cba7a34f9c22ab56781f29d61d652cc31a3ab5 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt
@@ -1,4 +1,5 @@
  Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-curve25519</b> or alternatively
-<b>esp=aes128ccm96-curve25519</b> in ipsec.conf.
+<b>aes128-sha256_96-curve25519</b> which uses 96 bit instead of the standard 128 bit
+truncation, allowing compatibility with Linux kernels older than 2.6.33.
+<p/>
  A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat

new file mode 100644 (file)

index 0000000..4fc808c
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf

similarity index 61%

rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf

index 7625e5066e971524e52ab4f1cd707b7258b63116..50ac31371bf109dc9e926c15317162504e9d4cf0 100644 (file)
--- a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  send_vendor_id = yes
  }
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4cafb9d
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256_96-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf

similarity index 61%

rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf

index 7625e5066e971524e52ab4f1cd707b7258b63116..50ac31371bf109dc9e926c15317162504e9d4cf0 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  send_vendor_id = yes
  }
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f9e6bfe
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256_96-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat

new file mode 100644 (file)

index 0000000..ec5d4c4
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat
@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2-multi-ca/.gitignore b/testing/tests/ikev2-multi-ca/.gitignore

new file mode 100644 (file)

index 0000000..f8443fe
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/.gitignore
@@ -0,0 +1,4 @@
+*.crl
+*.der
+*.p12
+*.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2-multi-ca/certreq-init/description.txt

similarity index 58%

rename from testing/tests/ikev2/multi-level-ca-cr-init/description.txt

rename to testing/tests/ikev2-multi-ca/certreq-init/description.txt

index 602d026c2da9a54d6188e845c78fd2d8d47316fd..f4f80282f00adf2a30ca98472e4a8e6e3512f2fe 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
+++ b/testing/tests/ikev2-multi-ca/certreq-init/description.txt
@@ -1,6 +1,6 @@
  The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
  <b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
-in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
-the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
-copies of the Research and Sales CA certificates and must therefore request them from
-the responders <b>carol</b> and <b>dave</b>, respectively.
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certif
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does
+not possess copies of the Research and Sales CA certificates and must therefore
+request them from the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat b/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat

new file mode 100644 (file)

index 0000000..76e544c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 55%

rename from testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf

index 61d2bd9..f3b571a
--- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf
@@ -5,5 +5,5 @@ swanctl {
  }
  
  charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..63a0a68
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 54%

rename from testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf

index ad4c18e..f3b571a
--- a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf
@@ -5,5 +5,5 @@ swanctl {
  }
  
  charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..a474697
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 54%

rename from testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf

index ad4c18e..f3b571a
--- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf
@@ -5,5 +5,5 @@ swanctl {
  }
  
  charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..edaad23
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,50 @@
+connections {
+
+   carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat b/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat

new file mode 100644 (file)

index 0000000..e0fe01f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat b/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat

new file mode 100644 (file)

index 0000000..40b78ee
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat
@@ -0,0 +1,9 @@
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::systemctl start strongswan
+carol::expect-connection moon
+moon::expect-connection carol
+moon::swanctl --initiate --child alice 2> /dev/null
+dave::expect-connection moon
+moon::expect-connection dave
+moon::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/dhcp-dynamic/test.conf b/testing/tests/ikev2-multi-ca/certreq-init/test.conf

similarity index 94%

rename from testing/tests/swanctl/dhcp-dynamic/test.conf

rename to testing/tests/ikev2-multi-ca/certreq-init/test.conf

index 853093c96bfe1c2915d00593f53d347c6d6c940f..c295cf019c87f80fe1bbcc617a1cd3f5e49ddfd3 100644 (file)
--- a/testing/tests/swanctl/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-init/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-v-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS=""
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/description.txt b/testing/tests/ikev2-multi-ca/certreq-resp/description.txt

new file mode 100644 (file)

index 0000000..0922638
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates
+from the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b>
+does not possess copies of the Research and Sales CA certificates and must therefore
+request them from the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat

new file mode 100644 (file)

index 0000000..76e544c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 54%

rename from testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf

index ad4c18e..f3b571a
--- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf
@@ -5,5 +5,5 @@ swanctl {
  }
  
  charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..63a0a68
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..a474697
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   moon {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..edaad23
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,50 @@
+connections {
+
+   carol {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   dave {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.200
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat

new file mode 100644 (file)

index 0000000..e0fe01f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat

new file mode 100644 (file)

index 0000000..b3a7ac3
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat
@@ -0,0 +1,9 @@
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::systemctl start strongswan
+moon::expect-connection carol
+carol::expect-connection moon
+carol::swanctl --initiate --child alice 2> /dev/null
+moon::expect-connection dave
+dave::expect-connection moon
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2-multi-ca/certreq-resp/test.conf

similarity index 91%

rename from testing/tests/ikev2/multi-level-ca-cr-resp/test.conf

rename to testing/tests/ikev2-multi-ca/certreq-resp/test.conf

index 9bb88d79f0be04fcb59ca44f0aa54476c8c7c8b4..c295cf019c87f80fe1bbcc617a1cd3f5e49ddfd3 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2-multi-ca/certreq-resp/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/multi-level-ca-l3/description.txt b/testing/tests/ikev2-multi-ca/crls-l3/description.txt

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/description.txt

rename to testing/tests/ikev2-multi-ca/crls-l3/description.txt
diff --git a/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat b/testing/tests/ikev2-multi-ca/crls-l3/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/evaltest.dat

rename to testing/tests/ikev2-multi-ca/crls-l3/evaltest.dat
diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/multi-level-ca-l3/posttest.dat b/testing/tests/ikev2-multi-ca/crls-l3/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca-l3/posttest.dat

rename to testing/tests/ikev2-multi-ca/crls-l3/posttest.dat
diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/ikev2-multi-ca/crls-l3/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/pretest.dat

rename to testing/tests/ikev2-multi-ca/crls-l3/pretest.dat
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2-multi-ca/crls-l3/test.conf

similarity index 91%

rename from testing/tests/ikev1/multi-level-ca-cr-resp/test.conf

rename to testing/tests/ikev2-multi-ca/crls-l3/test.conf

index 9bb88d79f0be04fcb59ca44f0aa54476c8c7c8b4..c295cf019c87f80fe1bbcc617a1cd3f5e49ddfd3 100644 (file)
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2-multi-ca/crls-l3/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/multi-level-ca/description.txt b/testing/tests/ikev2-multi-ca/crls/description.txt

similarity index 100%

rename from testing/tests/ikev2/multi-level-ca/description.txt

rename to testing/tests/ikev2-multi-ca/crls/description.txt
diff --git a/testing/tests/swanctl/multi-level-ca/evaltest.dat b/testing/tests/ikev2-multi-ca/crls/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/evaltest.dat

rename to testing/tests/ikev2-multi-ca/crls/evaltest.dat
diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/ocsp-multi-level/posttest.dat b/testing/tests/ikev2-multi-ca/crls/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/posttest.dat

rename to testing/tests/ikev2-multi-ca/crls/posttest.dat
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat b/testing/tests/ikev2-multi-ca/crls/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat

rename to testing/tests/ikev2-multi-ca/crls/pretest.dat
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2-multi-ca/crls/test.conf

similarity index 91%

rename from testing/tests/ikev2/multi-level-ca-cr-init/test.conf

rename to testing/tests/ikev2-multi-ca/crls/test.conf

index 9bb88d79f0be04fcb59ca44f0aa54476c8c7c8b4..c295cf019c87f80fe1bbcc617a1cd3f5e49ddfd3 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev2-multi-ca/crls/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/description.txt b/testing/tests/ikev2-multi-ca/ldap/description.txt

similarity index 91%

rename from testing/tests/ikev2/multi-level-ca-ldap/description.txt

rename to testing/tests/ikev2-multi-ca/ldap/description.txt

index 18fb888406c3882461bcbd811a0ffb7dda525d24..49a02ef78cf8e7e73dcbfc42202223ec17337623 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-ldap/description.txt
+++ b/testing/tests/ikev2-multi-ca/ldap/description.txt
@@ -6,6 +6,6 @@ Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
  the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
  <b>alice</b> and <b>dave</b> can reach <b>venus</b>.
  <p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
+By setting <b>revocation = strict</b> the CRLs from the strongSwan, Research and
  Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
  connection setups can be successfully completed.
diff --git a/testing/tests/ikev2-multi-ca/ldap/evaltest.dat b/testing/tests/ikev2-multi-ca/ldap/evaltest.dat

new file mode 100644 (file)

index 0000000..af4b177
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/evaltest.dat
@@ -0,0 +1,19 @@
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*research.*unacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6ae09a0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b0621ab
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+authorities {
+   strongswan {
+     cacert = strongswanCert.pem
+     crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList'
+   }
+}
+
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6ae09a0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e0a7ee3
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+authorities {
+   strongswan {
+     cacert = strongswanCert.pem
+     crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList'
+   }
+}
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules

rename to testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6ae09a0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e985cf4
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,63 @@
+authorities {
+  strongswan {
+     cacert = strongswanCert.pem
+     crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList'
+  }
+  research {
+     cacert=researchCert.pem
+     crl_uris = 'ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList'
+  }
+  sales {
+     cacert=salesCert.pem
+     crl_uris = 'ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList'
+  }
+}
+
+connections {
+
+   research {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = researchCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = salesCert.pem
+         revocation = strict
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/ldap/posttest.dat b/testing/tests/ikev2-multi-ca/ldap/posttest.dat

new file mode 100644 (file)

index 0000000..8abf31c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/posttest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+winnetou::systemctl stop slapd
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/ldap/pretest.dat b/testing/tests/ikev2-multi-ca/ldap/pretest.dat

new file mode 100644 (file)

index 0000000..9b0a06d
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/pretest.dat
@@ -0,0 +1,11 @@
+winnetou::/etc/init.d/slapd start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/ikev2-multi-ca/ldap/test.conf b/testing/tests/ikev2-multi-ca/ldap/test.conf

new file mode 100644 (file)

index 0000000..c295cf0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ldap/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/multi-level-ca-loop/description.txt b/testing/tests/ikev2-multi-ca/loop/description.txt

similarity index 100%

rename from testing/tests/ikev2/multi-level-ca-loop/description.txt

rename to testing/tests/ikev2-multi-ca/loop/description.txt
diff --git a/testing/tests/ikev2-multi-ca/loop/evaltest.dat b/testing/tests/ikev2-multi-ca/loop/evaltest.dat

new file mode 100644 (file)

index 0000000..d3daa14
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/evaltest.dat
@@ -0,0 +1,4 @@
+moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..65ac5b9
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2598416
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/loop/posttest.dat b/testing/tests/ikev2-multi-ca/loop/posttest.dat

new file mode 100644 (file)

index 0000000..adbfd8f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/posttest.dat
@@ -0,0 +1,3 @@
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/loop/pretest.dat b/testing/tests/ikev2-multi-ca/loop/pretest.dat

new file mode 100644 (file)

index 0000000..6a2c17c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/loop/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2-multi-ca/loop/test.conf

similarity index 90%

rename from testing/tests/ikev2/multi-level-ca-loop/test.conf

rename to testing/tests/ikev2-multi-ca/loop/test.conf

index a24ec4f1d23fd202f55a7a45b675032dfb86a0c9..940158eca0566707f03912dea02d1f2fcfaef893 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev2-multi-ca/loop/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-multi-level/description.txt b/testing/tests/ikev2-multi-ca/ocsp-signers/description.txt

similarity index 91%

rename from testing/tests/ikev2/ocsp-multi-level/description.txt

rename to testing/tests/ikev2-multi-ca/ocsp-signers/description.txt

index cd0ecf1623a64d4542a188b039c83fab715413a1..0e223bf666764dc2d6ee9ba28ab16c16e8f09519 100644 (file)
--- a/testing/tests/ikev2/ocsp-multi-level/description.txt
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/description.txt
@@ -6,5 +6,5 @@ Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
  the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
  <b>alice</b> and <b>dave</b> can reach <b>venus</b>.
  <p>
-By setting <b>strictcrlpolicy=yes</b>, the certificate status from the strongSwan, Research and
+By setting <b>revocation = strict</b>, the certificate status from the strongSwan, Research and
  Sales OCSP servers must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/evaltest.dat

rename to testing/tests/ikev2-multi-ca/ocsp-signers/evaltest.dat
diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat

new file mode 100644 (file)

index 0000000..506b6a2
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-multi-level/pretest.dat

rename to testing/tests/ikev2-multi-ca/ocsp-signers/pretest.dat
diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf

new file mode 100644 (file)

index 0000000..c295cf0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt

similarity index 84%

rename from testing/tests/ikev2/ocsp-strict-ifuri/description.txt

rename to testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt

index 2791e761f5a3dea09b658cb169241097d679c97e..c0576458bb352c619c16daa6ac7ea7818acb7618 100644 (file)
--- a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt
@@ -1,18 +1,16 @@
-This scenario tests the <b>strictcrlpolicy=ifuri</b> option which enforces a
+This scenario tests the <b>revocation = ifuri</b> option which enforces a
  strict CRL policy for a given CA if at least one OCSP or CRL URI is known
  for this CA at the time of the certificate trust path verification.
  On the gateway <b>moon</b> two different Intermediate CAs control the access
  to the hosts <b>alice</b> and <b>venus</b>. Access to <b>alice</b> is granted
  to users presenting a certificate issued by the Research CA whereas <b>venus</b>
-can only be reached with a certificate issued by the Sales CA. 
-<p>
+can only be reached with a certificate issued by the Sales CA.
+<p/>
  The roadwarrior <b>carol</b> has a certificate from the Research CA which does not
  contain any URIs. Therefore a strict CRL policy is <b>not</b> enforced and the
  connection setup succeeds, although the certificate status is unknown.
-</p>
-<p>
+<p/>
  The roadwarrior <b>dave</b> has a certificate from the Sales CA which contains
  a single OCSP URI but which is not resolvable. Thus because of  the known URI
  a strict CRL policy is enforced and the unknown certificate status causes the
  connection setup to fail.
-</p>
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat

new file mode 100644 (file)

index 0000000..65d856e
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::libcurl request failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f7dc3a9
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..de7341d
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..8905ebe
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+   research {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = researchCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = salesCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat

new file mode 100644 (file)

index 0000000..a957f65
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat
@@ -0,0 +1,4 @@
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat

new file mode 100644 (file)

index 0000000..eb0921e
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat
@@ -0,0 +1,9 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
+moon::expect-connection sales
+dave::expect-connection home
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf

new file mode 100644 (file)

index 0000000..c295cf0
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/description.txt b/testing/tests/ikev2-multi-ca/pathlen/description.txt

similarity index 100%

rename from testing/tests/ikev2/multi-level-ca-pathlen/description.txt

rename to testing/tests/ikev2-multi-ca/pathlen/description.txt
diff --git a/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat b/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat

new file mode 100644 (file)

index 0000000..d05fe30
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat
@@ -0,0 +1,4 @@
+moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::duck.*state=ESTABLISHED.*child-sas.*duck.*state=INSTALLED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*duck.*state=INSTALLED::NO
diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..66cde93
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         duck {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..76f98f6
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   duck {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = duckCert.pem
+      }
+      children {
+         duck {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/pathlen/posttest.dat b/testing/tests/ikev2-multi-ca/pathlen/posttest.dat

new file mode 100644 (file)

index 0000000..adbfd8f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/posttest.dat
@@ -0,0 +1,3 @@
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/pathlen/pretest.dat b/testing/tests/ikev2-multi-ca/pathlen/pretest.dat

new file mode 100644 (file)

index 0000000..f6002f8
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/pathlen/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection duck
+carol::expect-connection home
+carol::swanctl --initiate --child duck 2> /dev/null
diff --git a/testing/tests/swanctl/ip-two-pools/test.conf b/testing/tests/ikev2-multi-ca/pathlen/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 88%

rename from testing/tests/swanctl/ip-two-pools/test.conf

rename to testing/tests/ikev2-multi-ca/pathlen/test.conf

index 5f67b7e..940158e
--- a/testing/tests/swanctl/ip-two-pools/test.conf
+++ b/testing/tests/ikev2-multi-ca/pathlen/test.conf
@@ -13,12 +13,12 @@ DIAGRAM="a-m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="carol alice"
+TCPDUMPHOSTS=""
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
-IPSECHOSTS="moon carol alice"
+IPSECHOSTS="moon carol"
  
  # charon controlled by swanctl
  #
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/description.txt b/testing/tests/ikev2-multi-ca/revoked/description.txt

similarity index 98%

rename from testing/tests/ikev2/multi-level-ca-revoked/description.txt

rename to testing/tests/ikev2-multi-ca/revoked/description.txt

index c91ac285b0a4db4be3533a73aeb754446863b670..2fb5a4e3e4732598610f560dc672610314fb9aae 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-revoked/description.txt
+++ b/testing/tests/ikev2-multi-ca/revoked/description.txt
@@ -1,4 +1,4 @@
  The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
  The certificate of the Research CA has been revoked by the Root CA by entering
  the serial number in the CRL. Therefore upon verification of the trust path
-the gateway <b>moon</b> will reject the roadwarrior's certificate  
+the gateway <b>moon</b> will reject the roadwarrior's certificate
diff --git a/testing/tests/ikev2-multi-ca/revoked/evaltest.dat b/testing/tests/ikev2-multi-ca/revoked/evaltest.dat

new file mode 100644 (file)

index 0000000..453de63
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/evaltest.dat
@@ -0,0 +1,4 @@
+moon:: cat /var/log/daemon.log::certificate was revoked::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..65ac5b9
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2598416
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/revoked/posttest.dat b/testing/tests/ikev2-multi-ca/revoked/posttest.dat

new file mode 100644 (file)

index 0000000..adbfd8f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/posttest.dat
@@ -0,0 +1,3 @@
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/revoked/pretest.dat b/testing/tests/ikev2-multi-ca/revoked/pretest.dat

new file mode 100644 (file)

index 0000000..6a2c17c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/revoked/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
diff --git a/testing/tests/swanctl/ocsp-signer-cert/test.conf b/testing/tests/ikev2-multi-ca/revoked/test.conf

similarity index 86%

rename from testing/tests/swanctl/ocsp-signer-cert/test.conf

rename to testing/tests/ikev2-multi-ca/revoked/test.conf

index c5b3ecc4353c853ecba8a46242d2033e664b2bc1..940158eca0566707f03912dea02d1f2fcfaef893 100644 (file)
--- a/testing/tests/swanctl/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2-multi-ca/revoked/test.conf
@@ -5,11 +5,11 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
  
  # Corresponding block diagram
  #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt b/testing/tests/ikev2-multi-ca/rw-hash-and-url/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/description.txt
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/evaltest.dat
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/posttest.dat
diff --git a/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat

new file mode 100644 (file)

index 0000000..456938c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat
@@ -0,0 +1,10 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/test.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 100%

rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/test.conf

rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/test.conf
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/description.txt b/testing/tests/ikev2-multi-ca/skipped/description.txt

similarity index 100%

rename from testing/tests/ikev2/multi-level-ca-skipped/description.txt

rename to testing/tests/ikev2-multi-ca/skipped/description.txt
diff --git a/testing/tests/ikev2-multi-ca/skipped/evaltest.dat b/testing/tests/ikev2-multi-ca/skipped/evaltest.dat

new file mode 100644 (file)

index 0000000..e17c97d
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/evaltest.dat
@@ -0,0 +1,4 @@
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7425e40
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f3b571a
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..800c26e
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = researchCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/ikev2-multi-ca/skipped/posttest.dat b/testing/tests/ikev2-multi-ca/skipped/posttest.dat

new file mode 100644 (file)

index 0000000..adbfd8f
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/posttest.dat
@@ -0,0 +1,3 @@
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2-multi-ca/skipped/pretest.dat b/testing/tests/ikev2-multi-ca/skipped/pretest.dat

new file mode 100644 (file)

index 0000000..6a2c17c
--- /dev/null
+++ b/testing/tests/ikev2-multi-ca/skipped/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
diff --git a/testing/tests/swanctl/crl-to-cache/test.conf b/testing/tests/ikev2-multi-ca/skipped/test.conf

similarity index 86%

rename from testing/tests/swanctl/crl-to-cache/test.conf

rename to testing/tests/ikev2-multi-ca/skipped/test.conf

index fdda0a04cb8b93739090aef7371ad388cd92f917..940158eca0566707f03912dea02d1f2fcfaef893 100644 (file)
--- a/testing/tests/swanctl/crl-to-cache/test.conf
+++ b/testing/tests/ikev2-multi-ca/skipped/test.conf
@@ -5,11 +5,11 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
  
  # Corresponding block diagram
  #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
@@ -21,4 +21,5 @@ TCPDUMPHOSTS=""
  IPSECHOSTS="moon carol"
  
  # charon controlled by swanctl
+#
  SWANCTL=1
diff --git a/testing/tests/ikev2-stroke-bye/.gitignore b/testing/tests/ikev2-stroke-bye/.gitignore

new file mode 100644 (file)

index 0000000..f8443fe
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/.gitignore
@@ -0,0 +1,4 @@
+*.crl
+*.der
+*.p12
+*.pem
diff --git a/testing/tests/ikev2/any-interface/description.txt b/testing/tests/ikev2-stroke-bye/any-interface/description.txt

similarity index 100%

rename from testing/tests/ikev2/any-interface/description.txt

rename to testing/tests/ikev2-stroke-bye/any-interface/description.txt
diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/any-interface/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/any-interface/posttest.dat b/testing/tests/ikev2-stroke-bye/any-interface/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/any-interface/posttest.dat

rename to testing/tests/ikev2-stroke-bye/any-interface/posttest.dat
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2-stroke-bye/any-interface/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/any-interface/pretest.dat

rename to testing/tests/ikev2-stroke-bye/any-interface/pretest.dat
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2-stroke-bye/any-interface/test.conf

similarity index 100%

rename from testing/tests/ikev2/any-interface/test.conf

rename to testing/tests/ikev2-stroke-bye/any-interface/test.conf
diff --git a/testing/tests/ikev2/compress-nat/description.txt b/testing/tests/ikev2-stroke-bye/compress-nat/description.txt

similarity index 100%

rename from testing/tests/ikev2/compress-nat/description.txt

rename to testing/tests/ikev2-stroke-bye/compress-nat/description.txt
diff --git a/testing/tests/ikev2/compress-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/compress-nat/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat
diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/compress-nat/posttest.dat

rename to testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat
diff --git a/testing/tests/ikev2/compress-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/compress-nat/pretest.dat

rename to testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat
diff --git a/testing/tests/ikev2/compress-nat/test.conf b/testing/tests/ikev2-stroke-bye/compress-nat/test.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/test.conf

rename to testing/tests/ikev2-stroke-bye/compress-nat/test.conf
diff --git a/testing/tests/ikev2/crl-from-cache/description.txt b/testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/description.txt

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/crl-from-cache/posttest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/posttest.dat

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat
diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/pretest.dat

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf

similarity index 100%

rename from testing/tests/ikev2/crl-from-cache/test.conf

rename to testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/description.txt b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/description.txt

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/posttest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/pretest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/test.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/description.txt b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/description.txt

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf

similarity index 92%

rename from testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..0fbefa3fc2f7c2fe6e357f6b108dc6a283163d77 100644 (file)
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
  }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/posttest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/pretest.dat

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/test.conf

rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf
diff --git a/testing/tests/ikev2/dpd-hold/description.txt b/testing/tests/ikev2-stroke-bye/dpd-hold/description.txt

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/description.txt

rename to testing/tests/ikev2-stroke-bye/dpd-hold/description.txt
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat

rename to testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat

rename to testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/test.conf

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/test.conf

rename to testing/tests/ikev2-stroke-bye/dpd-hold/test.conf
diff --git a/testing/tests/ikev2/farp/description.txt b/testing/tests/ikev2-stroke-bye/farp/description.txt

similarity index 100%

rename from testing/tests/ikev2/farp/description.txt

rename to testing/tests/ikev2-stroke-bye/farp/description.txt
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2-stroke-bye/farp/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/farp/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/farp/evaltest.dat
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf

similarity index 92%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..0fbefa3fc2f7c2fe6e357f6b108dc6a283163d77 100644 (file)
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
  }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2-stroke-bye/farp/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/posttest.dat

rename to testing/tests/ikev2-stroke-bye/farp/posttest.dat
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2-stroke-bye/farp/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/farp/pretest.dat

rename to testing/tests/ikev2-stroke-bye/farp/pretest.dat
diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2-stroke-bye/farp/test.conf

similarity index 100%

rename from testing/tests/ikev2/dynamic-two-peers/test.conf

rename to testing/tests/ikev2-stroke-bye/farp/test.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/description.txt b/testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/description.txt

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt
diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/posttest.dat

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/pretest.dat

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat
diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/test.conf

rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf
diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2-stroke-bye/forecast/description.txt

similarity index 100%

rename from testing/tests/ikev2/forecast/description.txt

rename to testing/tests/ikev2-stroke-bye/forecast/description.txt
diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2-stroke-bye/forecast/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/forecast/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/forecast/evaltest.dat
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf

similarity index 92%

rename from testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..0fbefa3fc2f7c2fe6e357f6b108dc6a283163d77 100644 (file)
--- a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
  }
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2-stroke-bye/forecast/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/posttest.dat

rename to testing/tests/ikev2-stroke-bye/forecast/posttest.dat
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2-stroke-bye/forecast/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/forecast/pretest.dat

rename to testing/tests/ikev2-stroke-bye/forecast/pretest.dat
diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2-stroke-bye/forecast/test.conf

similarity index 100%

rename from testing/tests/ikev2/forecast/test.conf

rename to testing/tests/ikev2-stroke-bye/forecast/test.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/description.txt

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt
diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/posttest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat
diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/pretest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat
diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-connmark/test.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/description.txt

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/posttest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/pretest.dat

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat
diff --git a/testing/tests/ikev2/host2host-transport-nat/test.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport-nat/test.conf

rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf
diff --git a/testing/tests/ikev2/inactivity-timeout/description.txt b/testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/description.txt

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/posttest.dat

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/pretest.dat

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf

similarity index 100%

rename from testing/tests/ikev2/alg-aes-ccm/test.conf

rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/description.txt

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/lookip/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/lookip/posttest.dat

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/pretest.dat

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf

similarity index 100%

rename from testing/tests/ikev2/farp/test.conf

rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf
diff --git a/testing/tests/ikev2/ip-split-pools-db/description.txt b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/description.txt

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt
diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..c224059
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
+
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/db.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/posttest.dat

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat
diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/pretest.dat

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat
diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 88%

rename from testing/tests/swanctl/ip-pool-db/test.conf

rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf

index 5554b46..31820ea
--- a/testing/tests/swanctl/ip-pool-db/test.conf
+++ b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="moon alice"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
@@ -23,7 +23,3 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which databases are used
  #
  DBHOSTS="moon"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/description.txt

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/posttest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/pretest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/test.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/description.txt

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/test.conf

rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf
diff --git a/testing/tests/ikev2/lookip/description.txt b/testing/tests/ikev2-stroke-bye/lookip/description.txt

similarity index 100%

rename from testing/tests/ikev2/lookip/description.txt

rename to testing/tests/ikev2-stroke-bye/lookip/description.txt
diff --git a/testing/tests/ikev2/lookip/evaltest.dat b/testing/tests/ikev2-stroke-bye/lookip/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/lookip/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/lookip/evaltest.dat
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2-stroke-bye/lookip/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/posttest.dat

rename to testing/tests/ikev2-stroke-bye/lookip/posttest.dat
diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2-stroke-bye/lookip/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/lookip/pretest.dat

rename to testing/tests/ikev2-stroke-bye/lookip/pretest.dat
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2-stroke-bye/lookip/test.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/test.conf

rename to testing/tests/ikev2-stroke-bye/lookip/test.conf
diff --git a/testing/tests/ikev2/mobike-nat/description.txt b/testing/tests/ikev2-stroke-bye/mobike-nat/description.txt

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/description.txt

rename to testing/tests/ikev2-stroke-bye/mobike-nat/description.txt
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-nat/evaltest.dat
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/posttest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-nat/posttest.dat
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/pretest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-nat/pretest.dat
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/test.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-nat/test.conf

rename to testing/tests/ikev2-stroke-bye/mobike-nat/test.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/description.txt b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/description.txt

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/description.txt

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/description.txt
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/evaltest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/posttest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/pretest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/test.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/test.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip-nat/test.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/test.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip/description.txt b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/description.txt

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/description.txt

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/description.txt
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/evaltest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/posttest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/posttest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/pretest.dat

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/pretest.dat
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/test.conf

similarity index 100%

rename from testing/tests/ikev2/mobike-virtual-ip/test.conf

rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/test.conf
diff --git a/testing/tests/ikev2/mobike/description.txt b/testing/tests/ikev2-stroke-bye/mobike/description.txt

similarity index 100%

rename from testing/tests/ikev2/mobike/description.txt

rename to testing/tests/ikev2-stroke-bye/mobike/description.txt
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/mobike/evaltest.dat
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike/posttest.dat

rename to testing/tests/ikev2-stroke-bye/mobike/posttest.dat
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/mobike/pretest.dat

rename to testing/tests/ikev2-stroke-bye/mobike/pretest.dat
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2-stroke-bye/mobike/test.conf

similarity index 100%

rename from testing/tests/ikev2/mobike/test.conf

rename to testing/tests/ikev2-stroke-bye/mobike/test.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/description.txt

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/posttest.dat

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat
diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/pretest.dat

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat
diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/test.conf

rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf
diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev1/net2net-ntru-cert/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/net2net-ntru-cert/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat
diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/net2net-ntru-cert/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat
diff --git a/testing/tests/ikev2/net2net-dnscert/test.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/description.txt b/testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt
diff --git a/testing/tests/ikev2/net2net-dnscert/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-dnscert/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat
diff --git a/testing/tests/ikev2/net2net-fragmentation/test.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-fragmentation/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf
diff --git a/testing/tests/swanctl/net2net-multicast/description.txt b/testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt

similarity index 100%

rename from testing/tests/swanctl/net2net-multicast/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt
diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat

new file mode 100644 (file)

index 0000000..7649abc
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat
@@ -0,0 +1,16 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO
+bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf

similarity index 73%

rename from testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf

index 1c5da7b88bc5c0b46fb01071d41e4f0a8dab07e9..904a5fa6eead003206632123adef745ac7a900be 100644 (file)
--- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
  
    multiple_authentication = no
-
    plugins {
      forecast {
        groups = 224.0.0.251
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf

similarity index 59%

rename from testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf

index 812c12bf94a2cdcc29f2a084d84fef8fc247e2a8..904a5fa6eead003206632123adef745ac7a900be 100644 (file)
--- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -1,14 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
  
    multiple_authentication = no
-
    plugins {
      forecast {
        groups = 224.0.0.251
diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat

new file mode 100644 (file)

index 0000000..dff1817
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat

new file mode 100644 (file)

index 0000000..e777dba
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/swanctl/net2net-multicast/test.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf

similarity index 91%

rename from testing/tests/swanctl/net2net-multicast/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf

index 579978772d375c9f34f8a6a3f3436734b12b1147..48597379a03dc2b823d03040561aab77767486cb 100644 (file)
--- a/testing/tests/swanctl/net2net-multicast/test.conf
+++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="alice sun bob"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat
diff --git a/testing/tests/ikev1/net2net-ntru-cert/test.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf

similarity index 100%

rename from testing/tests/ikev1/net2net-ntru-cert/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v3/description.txt b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v3/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v4/description.txt b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-pgp-v4/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf
diff --git a/testing/tests/ikev2/net2net-psk-dscp/description.txt b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-dscp/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf
diff --git a/testing/tests/ikev2/net2net-rekey/description.txt b/testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt
diff --git a/testing/tests/ikev2/net2net-rekey/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-fragmentation/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-fragmentation/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat
diff --git a/testing/tests/ikev2/net2net-fragmentation/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-fragmentation/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat
diff --git a/testing/tests/ikev2/net2net-rekey/test.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf
diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/description.txt

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown
diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/posttest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/pretest.dat

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-same-nets/test.conf

rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf
diff --git a/testing/tests/ikev2/protoport-route/description.txt b/testing/tests/ikev2-stroke-bye/protoport-route/description.txt

similarity index 100%

rename from testing/tests/ikev2/protoport-route/description.txt

rename to testing/tests/ikev2-stroke-bye/protoport-route/description.txt
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/protoport-route/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-sha256/posttest.dat

rename to testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/protoport-route/pretest.dat

rename to testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev2-stroke-bye/protoport-route/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha256/test.conf

rename to testing/tests/ikev2-stroke-bye/protoport-route/test.conf
diff --git a/testing/tests/ikev2/reauth-early/description.txt b/testing/tests/ikev2-stroke-bye/reauth-early/description.txt

similarity index 100%

rename from testing/tests/ikev2/reauth-early/description.txt

rename to testing/tests/ikev2-stroke-bye/reauth-early/description.txt
diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-early/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-sha384/posttest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-early/pretest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev2-stroke-bye/reauth-early/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha384/test.conf

rename to testing/tests/ikev2-stroke-bye/reauth-early/test.conf
diff --git a/testing/tests/ikev2/reauth-late/description.txt b/testing/tests/ikev2-stroke-bye/reauth-late/description.txt

similarity index 100%

rename from testing/tests/ikev2/reauth-late/description.txt

rename to testing/tests/ikev2-stroke-bye/reauth-late/description.txt
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-late/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-sha512/posttest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-late/pretest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev2-stroke-bye/reauth-late/test.conf

similarity index 100%

rename from testing/tests/ikev1/alg-sha512/test.conf

rename to testing/tests/ikev2-stroke-bye/reauth-late/test.conf
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/description.txt

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/posttest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat
diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/dpd-hold/pretest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-ccm/test.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-sha256/pretest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-ctr/test.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf
diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/description.txt

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt
diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat

similarity index 100%

rename from testing/tests/ikev1/alg-sha384/pretest.dat

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gcm/test.conf

rename to testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt
diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..b31a468
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf

similarity index 51%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf

index 653488a6655f3fa65b2ba4608512b4f4cb0edab8..81d2c8e74ac89c03bea2add5e6e45146699461a6 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
  
    plugins {
      eap-simaka-sql {
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf

similarity index 51%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf

index 653488a6655f3fa65b2ba4608512b4f4cb0edab8..81d2c8e74ac89c03bea2add5e6e45146699461a6 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
  
    plugins {
      eap-simaka-sql {
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat

similarity index 68%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat

index 6356b88474dda56f0aa736f0b8dfa37e5b048ea7..e3d7998a95e45432a65f003d15ef1a280eb1ba04 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat
+++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat
@@ -2,9 +2,8 @@ moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
  moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
+moon::ipsec start
+carol::ipsec start
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-ntru-psk/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-dynamic/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf

similarity index 90%

rename from testing/tests/swanctl/rw-eap-md5-rsa/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf

index 97b89cb611f3c503b17a66dd80ef8258006eada8..e093d43d831fc7d7af507f590d5046de2ffde70a 100644 (file)
--- a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf
diff --git a/testing/tests/ikev2/rw-ntru-psk/description.txt b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt
diff --git a/testing/tests/ikev2/rw-ntru-psk/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat
diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat
diff --git a/testing/tests/ikev2/lookip/test.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf
diff --git a/testing/tests/ikev2/rw-psk-no-idr/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 52%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat

index 3d37a86..ee5bc7c
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat
+++ b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat
@@ -1,11 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-psk-fqdn/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 91%

rename from testing/tests/swanctl/rw-psk-fqdn/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf

index 1227b9d..f292988
--- a/testing/tests/swanctl/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat
diff --git a/testing/tests/swanctl/rw-psk-ipv4/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 91%

rename from testing/tests/swanctl/rw-psk-ipv4/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf

index 1227b9d..f292988
--- a/testing/tests/swanctl/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat

similarity index 84%

rename from testing/tests/ikev1/dynamic-two-peers/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat

index 119c8e45a6ff6055435ca9cdb37a60cc461b019b..1865a1c60eb1dcb5867d6c1d9bf6605f054c4757 100644 (file)
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat
@@ -1,7 +1,6 @@
+moon::ipsec stop
  carol::ipsec stop
  dave::ipsec stop
-moon::ipsec stop
-moon::mv /etc/hosts.ori /etc/hosts
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat
diff --git a/testing/tests/swanctl/rw-psk-ppk/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 91%

rename from testing/tests/swanctl/rw-psk-ppk/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf

index 1227b9d..f292988
--- a/testing/tests/swanctl/rw-psk-ppk/test.conf
+++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/rw-radius-accounting/description.txt b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat

similarity index 84%

rename from testing/tests/ikev2/dynamic-two-peers/posttest.dat

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat

index 119c8e45a6ff6055435ca9cdb37a60cc461b019b..1865a1c60eb1dcb5867d6c1d9bf6605f054c4757 100644 (file)
--- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat
@@ -1,7 +1,6 @@
+moon::ipsec stop
  carol::ipsec stop
  dave::ipsec stop
-moon::ipsec stop
-moon::mv /etc/hosts.ori /etc/hosts
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat
diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf
diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/description.txt

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat

new file mode 100644 (file)

index 0000000..b757d8b
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/pretest.dat

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat
diff --git a/testing/tests/ikev2/rw-ntru-psk/test.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-ntru-psk/test.conf

rename to testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf
diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2-stroke-bye/trap-any/description.txt

similarity index 100%

rename from testing/tests/ikev2/trap-any/description.txt

rename to testing/tests/ikev2-stroke-bye/trap-any/description.txt
diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/trap-any/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2-stroke-bye/trap-any/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/trap-any/posttest.dat

rename to testing/tests/ikev2-stroke-bye/trap-any/posttest.dat
diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2-stroke-bye/trap-any/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/trap-any/pretest.dat

rename to testing/tests/ikev2-stroke-bye/trap-any/pretest.dat
diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2-stroke-bye/trap-any/test.conf

similarity index 100%

rename from testing/tests/ikev2/trap-any/test.conf

rename to testing/tests/ikev2-stroke-bye/trap-any/test.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/description.txt b/testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/description.txt

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt
diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat

new file mode 100644 (file)

index 0000000..bdbe341
--- /dev/null
+++ b/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/test.conf

rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf
diff --git a/testing/tests/ikev2/wildcards/description.txt b/testing/tests/ikev2-stroke-bye/wildcards/description.txt

similarity index 100%

rename from testing/tests/ikev2/wildcards/description.txt

rename to testing/tests/ikev2-stroke-bye/wildcards/description.txt
diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/wildcards/evaltest.dat

rename to testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/wildcards/posttest.dat b/testing/tests/ikev2-stroke-bye/wildcards/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/wildcards/posttest.dat

rename to testing/tests/ikev2-stroke-bye/wildcards/posttest.dat
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2-stroke-bye/wildcards/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/wildcards/pretest.dat

rename to testing/tests/ikev2-stroke-bye/wildcards/pretest.dat
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2-stroke-bye/wildcards/test.conf

similarity index 100%

rename from testing/tests/ikev1/multi-level-ca-cr-init/test.conf

rename to testing/tests/ikev2-stroke-bye/wildcards/test.conf
diff --git a/testing/tests/ikev2-stroke/.gitignore b/testing/tests/ikev2-stroke/.gitignore

new file mode 100644 (file)

index 0000000..f8443fe
--- /dev/null
+++ b/testing/tests/ikev2-stroke/.gitignore
@@ -0,0 +1,4 @@
+*.crl
+*.der
+*.p12
+*.pem
diff --git a/testing/tests/ikev2/config-payload-swapped/description.txt b/testing/tests/ikev2-stroke/config-payload-swapped/description.txt

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/description.txt

rename to testing/tests/ikev2-stroke/config-payload-swapped/description.txt
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/evaltest.dat

rename to testing/tests/ikev2-stroke/config-payload-swapped/evaltest.dat
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat

new file mode 100644 (file)

index 0000000..bdbe341
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2-stroke/config-payload-swapped/test.conf

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/test.conf

rename to testing/tests/ikev2-stroke/config-payload-swapped/test.conf
diff --git a/testing/tests/ikev2-stroke/config-payload/description.txt b/testing/tests/ikev2-stroke/config-payload/description.txt

new file mode 100644 (file)

index 0000000..d0a1f02
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload by using the <b>leftsourceip=%config</b> parameter.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2-stroke/config-payload/evaltest.dat b/testing/tests/ikev2-stroke/config-payload/evaltest.dat

new file mode 100644 (file)

index 0000000..9471f88
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/evaltest.dat
@@ -0,0 +1,26 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf

similarity index 92%

rename from testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..0fbefa3fc2f7c2fe6e357f6b108dc6a283163d77 100644 (file)
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
  }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b8817fe
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev2-stroke/config-payload/posttest.dat b/testing/tests/ikev2-stroke/config-payload/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/config-payload/pretest.dat b/testing/tests/ikev2-stroke/config-payload/pretest.dat

new file mode 100644 (file)

index 0000000..bdbe341
--- /dev/null
+++ b/testing/tests/ikev2-stroke/config-payload/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2-stroke/config-payload/test.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/test.conf

rename to testing/tests/ikev2-stroke/config-payload/test.conf
diff --git a/testing/tests/ikev2-stroke/host2host-cert/description.txt b/testing/tests/ikev2-stroke/host2host-cert/description.txt

new file mode 100644 (file)

index 0000000..876aa79
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat b/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat

new file mode 100644 (file)

index 0000000..e0c40ba
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke/host2host-cert/posttest.dat b/testing/tests/ikev2-stroke/host2host-cert/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/host2host-cert/pretest.dat b/testing/tests/ikev2-stroke/host2host-cert/pretest.dat

new file mode 100644 (file)

index 0000000..36a8423
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection host-host
+moon::expect-connection host-host
+moon::ipsec up host-host
diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/ikev2-stroke/host2host-cert/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 90%

rename from testing/tests/swanctl/host2host-cert/test.conf

rename to testing/tests/ikev2-stroke/host2host-cert/test.conf

index 52d886d..55d6e9f
--- a/testing/tests/swanctl/host2host-cert/test.conf
+++ b/testing/tests/ikev2-stroke/host2host-cert/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun"
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/host2host-swapped/description.txt b/testing/tests/ikev2-stroke/host2host-swapped/description.txt

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/description.txt

rename to testing/tests/ikev2-stroke/host2host-swapped/description.txt
diff --git a/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat b/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat

new file mode 100644 (file)

index 0000000..e0c40ba
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat b/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat b/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat

new file mode 100644 (file)

index 0000000..36a8423
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection host-host
+moon::expect-connection host-host
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2-stroke/host2host-swapped/test.conf

similarity index 78%

rename from testing/tests/ikev2/multi-level-ca-revoked/test.conf

rename to testing/tests/ikev2-stroke/host2host-swapped/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..55d6e9fd6a95f1a7a72167dd26833e2147916444 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev2-stroke/host2host-swapped/test.conf
@@ -5,17 +5,17 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon carol winnetou"
+VIRTHOSTS="moon winnetou sun"
  
  # Corresponding block diagram
  #
-DIAGRAM="m-c-w.png"
-
+DIAGRAM="m-w-s.png"
+ 
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="sun"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2-stroke/host2host-transport/description.txt b/testing/tests/ikev2-stroke/host2host-transport/description.txt

new file mode 100644 (file)

index 0000000..fe3482c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/description.txt
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat b/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat

new file mode 100644 (file)

index 0000000..98251d1
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2-stroke/host2host-transport/posttest.dat b/testing/tests/ikev2-stroke/host2host-transport/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/host2host-transport/pretest.dat b/testing/tests/ikev2-stroke/host2host-transport/pretest.dat

new file mode 100644 (file)

index 0000000..36a8423
--- /dev/null
+++ b/testing/tests/ikev2-stroke/host2host-transport/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection host-host
+moon::expect-connection host-host
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/test.conf b/testing/tests/ikev2-stroke/host2host-transport/test.conf

similarity index 78%

rename from testing/tests/ikev2/multi-level-ca-skipped/test.conf

rename to testing/tests/ikev2-stroke/host2host-transport/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..5a286c84fec00c3d4fff1c05aab883dae7ff1778 100644 (file)
--- a/testing/tests/ikev2/multi-level-ca-skipped/test.conf
+++ b/testing/tests/ikev2-stroke/host2host-transport/test.conf
@@ -5,17 +5,17 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon carol winnetou"
-
+VIRTHOSTS="moon winnetou sun"
+ 
  # Corresponding block diagram
  #
-DIAGRAM="m-c-w.png"
+DIAGRAM="m-w-s.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="sun"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/description.txt b/testing/tests/ikev2-stroke/ip-pool-db/description.txt

new file mode 100644 (file)

index 0000000..7391344
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload by using the <b>leftsourceip=%config</b> parameter. <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat b/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat

new file mode 100644 (file)

index 0000000..925e9a1
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat
@@ -0,0 +1,38 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0fbefa3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..c224059
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
+
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/db.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat b/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat

new file mode 100644 (file)

index 0000000..37436a3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del dns 2> /dev/null
+moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat b/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat

new file mode 100644 (file)

index 0000000..c422045
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat
@@ -0,0 +1,17 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/ip-pool-db/test.conf b/testing/tests/ikev2-stroke/ip-pool-db/test.conf

new file mode 100644 (file)

index 0000000..31820ea
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool-db/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/swanctl/rw-dnssec/description.txt b/testing/tests/ikev2-stroke/ip-pool/description.txt

similarity index 55%

rename from testing/tests/swanctl/rw-dnssec/description.txt

rename to testing/tests/ikev2-stroke/ip-pool/description.txt

index 0135f078c6024cc05211edcb6fd3105c79e3f5e5..6dbf1b26056653979b0aef4527d368c6a2d80a74 100644 (file)
--- a/testing/tests/swanctl/rw-dnssec/description.txt
+++ b/testing/tests/ikev2-stroke/ip-pool/description.txt
@@ -1,10 +1,11 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
-resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
-</p>
  Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+by using the <b>leftsourceip=%config</b> parameter. <b>moon</b> assigns virtual IP addresses
+from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
  tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
-<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
-and <b>dave1</b>, respectively.
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>10.3.0.1</b>
+and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2-stroke/ip-pool/evaltest.dat b/testing/tests/ikev2-stroke/ip-pool/evaltest.dat

new file mode 100644 (file)

index 0000000..7de5903
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool/evaltest.dat
@@ -0,0 +1,30 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2-stroke/ip-pool/posttest.dat b/testing/tests/ikev2-stroke/ip-pool/posttest.dat

new file mode 100644 (file)

index 0000000..b757d8b
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-pool/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2-stroke/ip-pool/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/pretest.dat

rename to testing/tests/ikev2-stroke/ip-pool/pretest.dat
diff --git a/testing/tests/swanctl/rw-dnssec/test.conf b/testing/tests/ikev2-stroke/ip-pool/test.conf

similarity index 91%

rename from testing/tests/swanctl/rw-dnssec/test.conf

rename to testing/tests/ikev2-stroke/ip-pool/test.conf

index a542d037ed56442e8f40156a1baa17c18f2b041e..164b07ff9761f484661799c906b1a3792c30b9a5 100644 (file)
--- a/testing/tests/swanctl/rw-dnssec/test.conf
+++ b/testing/tests/ikev2-stroke/ip-pool/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon alice"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/ikev2-stroke/ip-two-pools-db/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 53%

rename from testing/tests/swanctl/ip-two-pools-db/description.txt

rename to testing/tests/ikev2-stroke/ip-two-pools-db/description.txt

index 4bad7b1..188b434
--- a/testing/tests/swanctl/ip-two-pools-db/description.txt
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/description.txt
@@ -1,14 +1,14 @@
  The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
-to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
-from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
-[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
-IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
-the <b>eth1</b> (PH_IP_MOON1) interface.
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b> 
+with the <b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual
+IP addresses from a pool named <b>extpool</b> [10.3.0.1..10.3.1.244] to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a pool named <b>intpool</b>
+[10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
  Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
  respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
  respectively.
-<p>
-By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
+<p> 
+By defining the composite IPsec SA: <b>rightsubnet=10.3.0.0/16,10.4.0.0/16</b>, each of the four
  spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
  demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
  of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat

new file mode 100644 (file)

index 0000000..cf7ce20
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat
@@ -0,0 +1,43 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f0b74a7
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1664d55
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
+
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/db.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..729db45
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 81%

rename from testing/tests/swanctl/ip-two-pools-db/posttest.dat

rename to testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat

index 526a132..dd4abeb
--- a/testing/tests/swanctl/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat
@@ -1,13 +1,13 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-alice::systemctl stop strongswan
-venus::systemctl stop strongswan
-moon::systemctl stop strongswan
+alice::ipsec stop
+venus::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-alice::iptables-restore < /etc/iptables.flush
-venus::iptables-restore < /etc/iptables.flush
  moon::ip route del 10.3.0.0/16 via PH_IP_MOON
  moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
  moon::ipsec pool --del extpool 2> /dev/null
@@ -15,4 +15,3 @@ moon::ipsec pool --del intpool 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
-
diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 75%

rename from testing/tests/swanctl/ip-two-pools-db/pretest.dat

rename to testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat

index bddc456..927de7d
--- a/testing/tests/swanctl/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat
@@ -8,23 +8,23 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
  moon::ipsec pool --statusattr 2> /dev/null
  moon::ip route add 10.3.0.0/16 via PH_IP_MOON
  moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-alice::iptables-restore < /etc/iptables.rules
-venus::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-alice::systemctl start strongswan
-venus::systemctl start strongswan
+moon::ipsec start
+alice::ipsec start
+venus::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection int
  moon::expect-connection ext
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
  alice::expect-connection home
-alice::swanctl --initiate --child home 2> /dev/null
+alice::ipsec up home
  venus::expect-connection home
-venus::swanctl --initiate --child home 2> /dev/null
+venus::ipsec up home
diff --git a/testing/tests/swanctl/ip-two-pools-db/test.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 92%

rename from testing/tests/swanctl/ip-two-pools-db/test.conf

rename to testing/tests/ikev2-stroke/ip-two-pools-db/test.conf

index 9394e02..167c75d
--- a/testing/tests/swanctl/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2-stroke/ip-two-pools-db/test.conf
@@ -23,7 +23,3 @@ IPSECHOSTS="alice venus moon carol dave"
  # Guest instances on which databases are used
  #
  DBHOSTS="moon"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/description.txt b/testing/tests/ikev2-stroke/ip-two-pools/description.txt

new file mode 100644 (file)

index 0000000..45b84f1
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload by using the
+<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
+addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
+by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat b/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat

new file mode 100644 (file)

index 0000000..b620538
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..952df5e
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf

similarity index 89%

rename from testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf

index 14cd6e43c699fb117bcf47d0857de83fb03cb1eb..93f4345989bc7279b58f86fe0e24dbb744c7d911 100644 (file)
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,4 @@
  
  charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  fragment_size = 1024
  }
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat b/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat

new file mode 100644 (file)

index 0000000..e4b0436
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat b/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat

new file mode 100644 (file)

index 0000000..8fb8dfb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+alice::ipsec start
+moon::expect-connection int
+moon::expect-connection ext
+carol::expect-connection home
+carol::ipsec up home
+alice::expect-connection home
+alice::ipsec up home
diff --git a/testing/tests/ikev2-stroke/ip-two-pools/test.conf b/testing/tests/ikev2-stroke/ip-two-pools/test.conf

new file mode 100644 (file)

index 0000000..1ed3473
--- /dev/null
+++ b/testing/tests/ikev2-stroke/ip-two-pools/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/ikev2-stroke/nat-rw-psk/description.txt

similarity index 58%

rename from testing/tests/swanctl/nat-rw-psk/description.txt

rename to testing/tests/ikev2-stroke/nat-rw-psk/description.txt

index 7754c7f395fa0772ee68c8b863d76aca2121df33..c92573d72d281c3c5242ee111784b47cc65bcf58 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/description.txt
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/description.txt
@@ -2,7 +2,6 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>
  tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
  Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
  <p/>
-Upon the successful establishment of the IPsec tunnels, the updown script automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping the client <b>bob</b> behind the gateway <b>sun</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel,
+the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat

new file mode 100644 (file)

index 0000000..fbcb631
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f6cb39c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f6cb39c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f6cb39c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat

similarity index 62%

rename from testing/tests/swanctl/nat-rw/posttest.dat

rename to testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat

index 5f390cd62cde61669d9e4fd519b6bfc8c03273ca..bc7d2377107607c7beee6e0dc4d2d21556278cec 100644 (file)
--- a/testing/tests/swanctl/nat-rw/posttest.dat
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat
@@ -1,6 +1,6 @@
-sun::systemctl stop strongswan
-alice::systemctl stop strongswan
-venus::systemctl stop strongswan
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
  alice::iptables-restore < /etc/iptables.flush
  venus::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat

similarity index 57%

rename from testing/tests/swanctl/nat-rw-psk/pretest.dat

rename to testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat

index 105c42fa529a429d5a68a45e66a1342ef9667f67..1798d27b5a47df5d188b8b9656e5351daad74e91 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/pretest.dat
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat
@@ -1,16 +1,16 @@
  alice::iptables-restore < /etc/iptables.rules
  venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
-venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
-sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::systemctl start strongswan
-alice::systemctl start strongswan
-venus::systemctl start strongswan
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
  sun::expect-connection nat-t
  alice::expect-connection nat-t
-alice::swanctl --initiate --child nat-t
+alice::ipsec up nat-t
  venus::expect-connection nat-t
-venus::swanctl --initiate --child nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/ikev2-stroke/nat-rw-psk/test.conf

similarity index 91%

rename from testing/tests/swanctl/nat-rw/test.conf

rename to testing/tests/ikev2-stroke/nat-rw-psk/test.conf

index ecc95b837581aaf93af77826f00a6a4fba9bbbd1..f515d4bc7320398fc86e982ecd05e676e602c262 100644 (file)
--- a/testing/tests/swanctl/nat-rw/test.conf
+++ b/testing/tests/ikev2-stroke/nat-rw-psk/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/ikev2-stroke/nat-rw/description.txt

similarity index 55%

rename from testing/tests/swanctl/nat-rw/description.txt

rename to testing/tests/ikev2-stroke/nat-rw/description.txt

index 1ee91b74ddafbeb66f1a910332fb9253eb1f359e..e657389c93b0f015dc3b582518907e3265abf16e 100644 (file)
--- a/testing/tests/swanctl/nat-rw/description.txt
+++ b/testing/tests/ikev2-stroke/nat-rw/description.txt
@@ -2,7 +2,6 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>
  tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
  Authentication is based on X.509 certificates.
  <p/>
-Upon the successful establishment of the IPsec tunnels, the updown script automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping the client <b>bob</b> behind the gateway <b>sun</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel,
+the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2-stroke/nat-rw/evaltest.dat b/testing/tests/ikev2-stroke/nat-rw/evaltest.dat

new file mode 100644 (file)

index 0000000..2d265b0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/ipsec.conf
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf

similarity index 89%

rename from testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf

index 55a6df151fc732a6a37fedce4383a0d13c066242..9d07c88e40d04298e0018e9385b871f491ebda24 100644 (file)
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf
@@ -2,5 +2,6 @@
  
  charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  send_vendor_id = yes
+
+  keep_alive = 5
  }
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules

rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf

similarity index 89%

rename from testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf

index 14cd6e43c699fb117bcf47d0857de83fb03cb1eb..93f4345989bc7279b58f86fe0e24dbb744c7d911 100644 (file)
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,4 @@
  
  charon {
    load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  fragment_size = 1024
  }
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9d07c88
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev2-stroke/nat-rw/posttest.dat b/testing/tests/ikev2-stroke/nat-rw/posttest.dat

new file mode 100644 (file)

index 0000000..bc7d237
--- /dev/null
+++ b/testing/tests/ikev2-stroke/nat-rw/posttest.dat
@@ -0,0 +1,7 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2-stroke/nat-rw/pretest.dat

similarity index 63%

rename from testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat

rename to testing/tests/ikev2-stroke/nat-rw/pretest.dat

index 928a954a87aa24d0b50e466bde5a26909fc2e37d..36d23b5704d593683a62caf30834163525d9ea02 100644 (file)
--- a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat
+++ b/testing/tests/ikev2-stroke/nat-rw/pretest.dat
@@ -1,11 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::systemctl start strongswan
-alice::systemctl start strongswan
-venus::systemctl start strongswan
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
  sun::expect-connection nat-t
  alice::expect-connection nat-t
+alice::ipsec up nat-t
  venus::expect-connection nat-t
-alice::swanctl --initiate --child nat-t 2> /dev/null
-venus::swanctl --initiate --child nat-t 2> /dev/null
+venus::ipsec up nat-t
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2-stroke/nat-rw/test.conf

similarity index 86%

rename from testing/tests/swanctl/shunt-policies-nat-rw/test.conf

rename to testing/tests/ikev2-stroke/nat-rw/test.conf

index 34b0ba165569f481502bc35cf33235c0204c68c2..f515d4bc7320398fc86e982ecd05e676e602c262 100644 (file)
--- a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf
+++ b/testing/tests/ikev2-stroke/nat-rw/test.conf
@@ -13,13 +13,9 @@ DIAGRAM="a-v-m-w-s-b.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="alice moon"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-cert/description.txt b/testing/tests/ikev2-stroke/net2net-cert/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 66%

rename from testing/tests/swanctl/net2net-cert/description.txt

rename to testing/tests/ikev2-stroke/net2net-cert/description.txt

index 345769a..1617634
--- a/testing/tests/swanctl/net2net-cert/description.txt
+++ b/testing/tests/ikev2-stroke/net2net-cert/description.txt
@@ -1,6 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, the updown script automatically
+The authentication is based on <b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat b/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat

new file mode 100644 (file)

index 0000000..fe4aa5a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..2cb7f03
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  signature_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..2cb7f03
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  signature_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat b/testing/tests/ikev2-stroke/net2net-cert/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat

rename to testing/tests/ikev2-stroke/net2net-cert/posttest.dat
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2-stroke/net2net-cert/pretest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat

rename to testing/tests/ikev2-stroke/net2net-cert/pretest.dat
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2-stroke/net2net-cert/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-bandwidth/test.conf

rename to testing/tests/ikev2-stroke/net2net-cert/test.conf
diff --git a/testing/tests/ikev2/net2net-fragmentation/description.txt b/testing/tests/ikev2-stroke/net2net-psk/description.txt

similarity index 66%

rename from testing/tests/ikev2/net2net-fragmentation/description.txt

rename to testing/tests/ikev2-stroke/net2net-psk/description.txt

index 1f63c963829621a8fd6eb335c4b79349940ab6a6..07320d7313208164d3d38bf27ce1b8b18ee84be6 100644 (file)
--- a/testing/tests/ikev2/net2net-fragmentation/description.txt
+++ b/testing/tests/ikev2-stroke/net2net-psk/description.txt
@@ -1,7 +1,5 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. The IKEv2 fragmentation protocol
-defined in <b>RFC 7383</b> prevents the IP fragmentation of the IKEv2 messages carrying the
-large X.509 certificates.
+The authentication is based on <b>Preshared Keys</b> (PSK).
  <p/>
  Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat b/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat

new file mode 100644 (file)

index 0000000..fe4aa5a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1188d68
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..1188d68
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2-stroke/net2net-psk/posttest.dat b/testing/tests/ikev2-stroke/net2net-psk/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-psk/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-rekey/pretest.dat b/testing/tests/ikev2-stroke/net2net-psk/pretest.dat

similarity index 76%

rename from testing/tests/ikev2/net2net-rekey/pretest.dat

rename to testing/tests/ikev2-stroke/net2net-psk/pretest.dat

index bcc2cb04d8345f2e2f143d3f7cab03625ff95f8a..c7e2c61623d24a9f86754265649e66c46a897cc2 100644 (file)
--- a/testing/tests/ikev2/net2net-rekey/pretest.dat
+++ b/testing/tests/ikev2-stroke/net2net-psk/pretest.dat
@@ -1,5 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
  sun::ipsec start
  moon::ipsec start
  sun::expect-connection net-net
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2-stroke/net2net-psk/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/test.conf

rename to testing/tests/ikev2-stroke/net2net-psk/test.conf
diff --git a/testing/tests/swanctl/net2net-route/description.txt b/testing/tests/ikev2-stroke/net2net-route/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 86%

rename from testing/tests/swanctl/net2net-route/description.txt

rename to testing/tests/ikev2-stroke/net2net-route/description.txt

index 20640ef..323f095
--- a/testing/tests/swanctl/net2net-route/description.txt
+++ b/testing/tests/ikev2-stroke/net2net-route/description.txt
@@ -5,5 +5,5 @@ A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
  <b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
  leads to the automatic establishment of the subnet-to-subnet tunnel.
  <p>
-The updown script automatically inserts iptables-based firewall rules
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
  that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2-stroke/net2net-route/evaltest.dat b/testing/tests/ikev2-stroke/net2net-route/evaltest.dat

new file mode 100644 (file)

index 0000000..3b247fd
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-route/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2-stroke/net2net-route/posttest.dat b/testing/tests/ikev2-stroke/net2net-route/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2-stroke/net2net-route/pretest.dat

similarity index 82%

rename from testing/tests/ikev2/net2net-ntru-cert/pretest.dat

rename to testing/tests/ikev2-stroke/net2net-route/pretest.dat

index bcc2cb04d8345f2e2f143d3f7cab03625ff95f8a..57dc45f996d099346d355c9356e167d66c36e423 100644 (file)
--- a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
+++ b/testing/tests/ikev2-stroke/net2net-route/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
  moon::ipsec start
-sun::expect-connection net-net
+sun::ipsec start
  moon::expect-connection net-net
-moon::ipsec up net-net
+sun::expect-connection net-net
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/ikev2/net2net-ntru-cert/test.conf b/testing/tests/ikev2-stroke/net2net-route/test.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-ntru-cert/test.conf

rename to testing/tests/ikev2-stroke/net2net-route/test.conf
diff --git a/testing/tests/ikev2/net2net-rsa/.gitignore b/testing/tests/ikev2-stroke/net2net-rsa/.gitignore

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/.gitignore

rename to testing/tests/ikev2-stroke/net2net-rsa/.gitignore
diff --git a/testing/tests/ikev2/net2net-rsa/description.txt b/testing/tests/ikev2-stroke/net2net-rsa/description.txt

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/description.txt

rename to testing/tests/ikev2-stroke/net2net-rsa/description.txt
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2-stroke/net2net-rsa/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/evaltest.dat

rename to testing/tests/ikev2-stroke/net2net-rsa/evaltest.dat
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf.in b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.conf.in

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf.in

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.conf.in
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf.in b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.conf.in

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf.in

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.conf.in
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2-stroke/net2net-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/net2net-rsa/posttest.dat

rename to testing/tests/ikev2-stroke/net2net-rsa/posttest.dat
diff --git a/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat b/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat

new file mode 100644 (file)

index 0000000..c7e2c61
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/swanctl/net2net-pubkey/test.conf b/testing/tests/ikev2-stroke/net2net-rsa/test.conf

similarity index 90%

rename from testing/tests/swanctl/net2net-pubkey/test.conf

rename to testing/tests/ikev2-stroke/net2net-rsa/test.conf

index 07a3b247a109aab35d98ae8048598cc3fdee57a4..afa2accbec475802093d715cc101f9e8399c8758 100644 (file)
--- a/testing/tests/swanctl/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2-stroke/net2net-rsa/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-start/description.txt b/testing/tests/ikev2-stroke/net2net-start/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 68%

rename from testing/tests/swanctl/net2net-start/description.txt

rename to testing/tests/ikev2-stroke/net2net-start/description.txt

index 9c67ed6..f532068
--- a/testing/tests/swanctl/net2net-start/description.txt
+++ b/testing/tests/ikev2-stroke/net2net-start/description.txt
@@ -2,5 +2,7 @@ A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
  respectively, is automatically established by means of the setting
  <b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
  behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>. The updown script automatically inserts iptables-based
-firewall rules that let pass the tunneled traffic.
+gateway <b>sun</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2-stroke/net2net-start/evaltest.dat b/testing/tests/ikev2-stroke/net2net-start/evaltest.dat

new file mode 100644 (file)

index 0000000..5c4aa85
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-start/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8d89cd0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2-stroke/net2net-start/posttest.dat b/testing/tests/ikev2-stroke/net2net-start/posttest.dat

new file mode 100644 (file)

index 0000000..1f7aa73
--- /dev/null
+++ b/testing/tests/ikev2-stroke/net2net-start/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/ikev2-stroke/net2net-start/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 52%

rename from testing/tests/swanctl/net2net-start/pretest.dat

rename to testing/tests/ikev2-stroke/net2net-start/pretest.dat

index 77a8e1a..b3f3710
--- a/testing/tests/swanctl/net2net-start/pretest.dat
+++ b/testing/tests/ikev2-stroke/net2net-start/pretest.dat
@@ -1,5 +1,5 @@
-sun::iptables-restore < /etc/iptables.rules
  moon::iptables-restore < /etc/iptables.rules
-sun::systemctl start strongswan
-moon::systemctl start strongswan
-moon::sleep 0.5
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+moon::sleep 1
diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/ikev2-stroke/net2net-start/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 90%

rename from testing/tests/swanctl/net2net-psk/test.conf

rename to testing/tests/ikev2-stroke/net2net-start/test.conf

index 07a3b24..646b8b3
--- a/testing/tests/swanctl/net2net-psk/test.conf
+++ b/testing/tests/ikev2-stroke/net2net-start/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2-stroke/protoport-dual/description.txt b/testing/tests/ikev2-stroke/protoport-dual/description.txt

new file mode 100644 (file)

index 0000000..7bed8b9
--- /dev/null
+++ b/testing/tests/ikev2-stroke/protoport-dual/description.txt
@@ -0,0 +1,6 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. The established tunnels are tested
+by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
+then setting up an SSH session to the same client.
diff --git a/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat b/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat

new file mode 100644 (file)

index 0000000..7d367e3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..93f4345
--- /dev/null
+++ b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev2-stroke/protoport-dual/posttest.dat

similarity index 100%

rename from testing/tests/ikev1/esp-alg-null/posttest.dat

rename to testing/tests/ikev2-stroke/protoport-dual/posttest.dat
diff --git a/testing/tests/ikev2-stroke/protoport-dual/pretest.dat b/testing/tests/ikev2-stroke/protoport-dual/pretest.dat

new file mode 100644 (file)

index 0000000..02f4aa8
--- /dev/null
+++ b/testing/tests/ikev2-stroke/protoport-dual/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-icmp
+moon::expect-connection rw-ssh
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
+carol::ipsec up home-icmp
+carol::ipsec up home-ssh
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2-stroke/protoport-dual/test.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-aes-gmac/test.conf

rename to testing/tests/ikev2-stroke/protoport-dual/test.conf
diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/ikev2-stroke/rw-cert/description.txt

old mode 100755 (executable)

new mode 100644 (file)

similarity index 80%

rename from testing/tests/swanctl/rw-cert/description.txt

rename to testing/tests/ikev2-stroke/rw-cert/description.txt

index f190c07..15b3822
--- a/testing/tests/swanctl/rw-cert/description.txt
+++ b/testing/tests/ikev2-stroke/rw-cert/description.txt
@@ -1,7 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-<p/>
-Upon the successful establishment of the IPsec tunnels, the updown script
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2-stroke/rw-cert/evaltest.dat b/testing/tests/ikev2-stroke/rw-cert/evaltest.dat

new file mode 100644 (file)

index 0000000..849d59a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..a205dc0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..a205dc0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..8ecdb71
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  integrity_test = yes
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev2-stroke/rw-cert/posttest.dat b/testing/tests/ikev2-stroke/rw-cert/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-cert/pretest.dat b/testing/tests/ikev2-stroke/rw-cert/pretest.dat

new file mode 100644 (file)

index 0000000..e87a8ee
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-cert/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-newhope-bliss/test.conf b/testing/tests/ikev2-stroke/rw-cert/test.conf

old mode 100755 (executable)

new mode 100644 (file)

similarity index 91%

rename from testing/tests/swanctl/rw-newhope-bliss/test.conf

rename to testing/tests/ikev2-stroke/rw-cert/test.conf

index 1227b9d..f292988
--- a/testing/tests/swanctl/rw-newhope-bliss/test.conf
+++ b/testing/tests/ikev2-stroke/rw-cert/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt

similarity index 87%

rename from testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt

index c39829dd5b992bfb8b572401b0c336e01eed7479..893a272303cf3a095109cced852f0151e56cb009 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt
@@ -4,7 +4,7 @@ an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
  <p/>
  Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
  method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
-This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
  is used instead of a USIM/(R)UIM device.
  <p/>
  In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..25871f8
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf

similarity index 54%

rename from testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf

index e0561f3ffd9a738c08935aee70b9a43244ed5b56..364b8c0fc5edc97b8582b11f33fb724d99b7d27c 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
  }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..364b8c0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+}
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-3des-md5/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/posttest.dat
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat

similarity index 85%

rename from testing/tests/ikev1/alg-3des-md5/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat

index 6a892fedcfa50f36e6c62beeaa84659263fa3648..1578796a1e1ff1686a4f1e0cd2931c296df74b99 100644 (file)
--- a/testing/tests/ikev1/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat
@@ -1,7 +1,7 @@
-moon::ipsec start
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::expect-connection rw
+moon::ipsec start
  carol::ipsec start
+moon::expect-connection rw-eap
  carol::expect-connection home
  carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf

similarity index 90%

rename from testing/tests/swanctl/rw-eap-aka-rsa/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf

index 97b89cb611f3c503b17a66dd80ef8258006eada8..e093d43d831fc7d7af507f590d5046de2ffde70a 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt

similarity index 76%

rename from testing/tests/swanctl/rw-eap-aka-rsa/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt

index 0138e35f5a15c93943a9119775cb0754975a0012..da5b72735e854db92cd4d5cba3de2353cea53e0b 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt
@@ -4,5 +4,5 @@ an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
  <p/>
  Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
  method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
-This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
-is used instead of a USIM/(R)UIM device.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
+\ No newline at end of file
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..795164c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..a919d68
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+
+  integrity_test = yes
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..a919d68
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+
+  integrity_test = yes
+}
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-aes-ccm/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/posttest.dat
diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat

new file mode 100644 (file)

index 0000000..ee46730
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap-aka
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf

similarity index 90%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf

index 97b89cb611f3c503b17a66dd80ef8258006eada8..e093d43d831fc7d7af507f590d5046de2ffde70a 100644 (file)
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt

new file mode 100644 (file)

index 0000000..a1512ca
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
+The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
+and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..60a5a77
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

index 2057b51936b6ddb77451a8f14257a2915fadcb10..1dc69d90dcfbab9046975e72aa544224e542466d 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -8,10 +8,10 @@ listen {
  
  authorize {
    preprocess
-  files
    eap {
      ok = return
    }
+  files
    expiration
    logintime
  }
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 97%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default

index dd0825858a93e712edee8ab89bc7c2a937577d76..a67a5dcb42a28a43afeb359ad4a9ed4d5f87bdd8 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,5 +1,4 @@
  authorize {
-  suffix
    eap {
      ok = return
    }
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0250ce3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf

similarity index 63%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf

index b18ba6809299af590f0621d9c3283e30b5930613..3a8d5c20c2850c3d9a8cca2bf3820e62f481121f 100644 (file)
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
  
    plugins {
      eap-radius {
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat

similarity index 82%

rename from testing/tests/ikev2/alg-sha512/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..4361417fd1df1686627e8a5dc2ced483a993c44b 100644 (file)
--- a/testing/tests/ikev2/alg-sha512/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat
@@ -1,4 +1,5 @@
  moon::ipsec stop
  carol::ipsec stop
+alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat

new file mode 100644 (file)

index 0000000..012323f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-md5-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf

index 0d9e9f3d437913f8521bc332836a6a94db23a760..eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7 100644 (file)
--- a/testing/tests/swanctl/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt

new file mode 100644 (file)

index 0000000..12bdc9f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
+The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
+and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..f3e5aa0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f399dfb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6d37fbb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat

similarity index 82%

rename from testing/tests/ikev2/alg-sha256-96/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..4361417fd1df1686627e8a5dc2ced483a993c44b 100644 (file)
--- a/testing/tests/ikev2/alg-sha256-96/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat
@@ -1,4 +1,5 @@
  moon::ipsec stop
  carol::ipsec stop
+alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat

new file mode 100644 (file)

index 0000000..012323f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf

index 0d9e9f3d437913f8521bc332836a6a94db23a760..eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-rsa/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..d4617bf
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f399dfb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f399dfb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-aes-ctr/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/posttest.dat
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat

similarity index 85%

rename from testing/tests/ikev1/alg-sha512/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat

index e34f702774cb13b083ed4e9cdf73a25c95810624..1578796a1e1ff1686a4f1e0cd2931c296df74b99 100644 (file)
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat
@@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  moon::ipsec start
  carol::ipsec start
-moon::expect-connection rw
+moon::expect-connection rw-eap
  carol::expect-connection home
  carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf

similarity index 90%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf

index 97b89cb611f3c503b17a66dd80ef8258006eada8..e093d43d831fc7d7af507f590d5046de2ffde70a 100644 (file)
--- a/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..e72426b
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..51eaacb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..51eaacb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+}
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-aes-gcm/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/posttest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat

similarity index 85%

rename from testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat

index e34f702774cb13b083ed4e9cdf73a25c95810624..1578796a1e1ff1686a4f1e0cd2931c296df74b99 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  moon::ipsec start
  carol::ipsec start
-moon::expect-connection rw
+moon::expect-connection rw-eap
  carol::expect-connection home
  carol::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf

new file mode 100644 (file)

index 0000000..e093d43
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-md5/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-md5/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/description.txt
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat

similarity index 54%

rename from testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat

index 247aabe179fca35b7ef10fc6aed9668c48879ce3..c7884ee0e469f632262ad8da4bc7f185589852db 100644 (file)
--- a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat
@@ -10,8 +10,14 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..80cd79e
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..80cd79e
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6a81b47
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  multiple_authentication=no
+
+  plugins {
+    eap-peap {
+      phase2_method = md5
+      phase2_piggyback = yes
+   }
+ }
+}
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat

new file mode 100644 (file)

index 0000000..dccf854
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf

new file mode 100644 (file)

index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/description.txt
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat

similarity index 55%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat

index 1093e51ada966f81de5b991af6ed396dbb9cb169..6ba3e10e9068d8d8fb781834c179b06d6aa358d2 100644 (file)
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat
@@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d3f333d
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..d3f333d
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b694c60
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  multiple_authentication=no
+  plugins {
+    eap-peap {
+      phase2_method = mschapv2
+   }
+ }
+}
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat

new file mode 100644 (file)

index 0000000..dccf854
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf

new file mode 100644 (file)

index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt

new file mode 100644 (file)

index 0000000..89db03a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-PEAP</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat

similarity index 56%

rename from testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat

index 291e249da9447a12b1bfd164f1ccaf72b93209fd..edfb7cdddadd2e3bf5fcbc6db6aa421d1b32a010 100644 (file)
--- a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat
@@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf

similarity index 74%

rename from testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf

index a3837a4ceb1cabdc1ef38b9f033d689cd117a8c8..c8c3f856272f84c9bc3296eb124dfbd9c7471260 100644 (file)
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  send_vendor_id = yes
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  multiple_authentication=no
  }
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..c8c3f85
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9681551
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat

similarity index 62%

rename from testing/tests/swanctl/rw-eap-peap-radius/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat

index a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd..a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2 100644 (file)
--- a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat
@@ -1,6 +1,6 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat

new file mode 100644 (file)

index 0000000..c98e8ed
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-ttls-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf

index 0e5512b655038f627d97147d23dc21852a74b066..20d5863094b871ee000fd4e7acadccad31ad31fa 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..e7d9786
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 72%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf

index 23cba8d11b7e26049e9c9689c4d1f91f511d13c9..783587b55650c042a2f38ffe550a6a0895324c55 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -1,4 +1,4 @@
-realm strongswan.org {
+realm LOCAL {
    type     = radius
    authhost = LOCAL
    accthost = LOCAL
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf

similarity index 54%

rename from testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf

index 369c2946fb2362bfc56e6791daf8eeb4d7f911fd..51614f7163eff75ed329d582d27c2fe2aa253444 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
  }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..3a8d5c2
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat

similarity index 82%

rename from testing/tests/ikev2/alg-sha256/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..4361417fd1df1686627e8a5dc2ced483a993c44b 100644 (file)
--- a/testing/tests/ikev2/alg-sha256/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat
@@ -1,4 +1,5 @@
  moon::ipsec stop
  carol::ipsec stop
+alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat

new file mode 100644 (file)

index 0000000..53aa83f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-tls-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf

index 0d9e9f3d437913f8521bc332836a6a94db23a760..eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7 100644 (file)
--- a/testing/tests/swanctl/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..8502d7a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 81%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default

index 51b64a74b38ed4c4fb93a5e084029e4e7495ae47..8d68b81fc22fa26562fcd841f30132040f242d9e 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,7 +1,4 @@
  authorize {
-  preprocess
-  chap
-  mschap
    files
    suffix
    update reply {
@@ -18,24 +15,9 @@ authorize {
    eap {
      ok = return
    }
-  unix
-  files
-  expiration
-  logintime
-  pap
  }
  
  authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
    eap
  }
  
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..195893a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..195893a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6725cf8
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat

similarity index 62%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat

index a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd..a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat
@@ -1,6 +1,6 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat

similarity index 52%

rename from testing/tests/swanctl/rw-eap-sim-radius/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat

index 867c7248c1397cbc139f7e68296cb569fd0f7275..04b824def890b54747449236771e0693f13f1995 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat
@@ -1,16 +1,20 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
  carol::cat /etc/ipsec.d/triplets.dat
  dave::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-sim-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf

index 93f23f1d6e462d03ce8f9c87ada1f3b3d688a174..29bfaa78c964e9030691c0bfac7b7d3906d547f7 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-radius/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..0c9c2b4
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf

similarity index 57%

rename from testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf

index cbfd676a49256af9ff24f4dbd990e005f7c671ca..e78434f8f8c80c7a2b81f13af566b4f603b16322 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf

similarity index 57%

rename from testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf

index 8cbe58f19a38612ab76aba57c4b08ccad2e5357c..e78434f8f8c80c7a2b81f13af566b4f603b16322 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..6d37fbb
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat

new file mode 100644 (file)

index 0000000..a6619d0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat

similarity index 52%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat

index 867c7248c1397cbc139f7e68296cb569fd0f7275..e171997bc39575a68d4db895a866c4b63f1e4948 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat
@@ -1,16 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
  carol::cat /etc/ipsec.d/triplets.dat
  dave::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf

index 93f23f1d6e462d03ce8f9c87ada1f3b3d688a174..42d23a50bb5d79ce79b974f1fafd7091e94f3dbe 100644 (file)
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf
@@ -23,7 +23,3 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which FreeRadius is started
  #
  RADIUSHOSTS="alice"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-rsa/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat

new file mode 100644 (file)

index 0000000..17e3157
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf

similarity index 52%

rename from testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf

index fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa..e652c52d7d564ad698c978d557ae37537cd193b3 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
  
-  keep_alive = 5
+  integrity_test = yes
  }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf

similarity index 52%

rename from testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf

index fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa..0015835136c32a2e042075feba1a24f9de720b16 100644 (file)
--- a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
  
-  keep_alive = 5
+  integrity_test = yes
  }
+
diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-aes-xcbc/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/posttest.dat
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat

new file mode 100644 (file)

index 0000000..71cab1f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/ipsec.d/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap-sim
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf

new file mode 100644 (file)

index 0000000..e093d43
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/swanctl/rw-eap-tls-only/description.txt b/testing/tests/ikev2-stroke/rw-eap-tls-only/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-only/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/description.txt
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat

new file mode 100644 (file)

index 0000000..100919a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..a4e10a0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..f7a382d
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/posttest.dat

similarity index 100%

rename from testing/tests/ikev2/alg-chacha20poly1305/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/posttest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat

similarity index 85%

rename from testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat

index e34f702774cb13b083ed4e9cdf73a25c95810624..1578796a1e1ff1686a4f1e0cd2931c296df74b99 100644 (file)
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat
@@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  moon::ipsec start
  carol::ipsec start
-moon::expect-connection rw
+moon::expect-connection rw-eap
  carol::expect-connection home
  carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/test.conf

similarity index 100%

rename from testing/tests/ikev1/esp-alg-null/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-only/test.conf
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt

new file mode 100644 (file)

index 0000000..842a88c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates with the remote AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat

new file mode 100644 (file)

index 0000000..36c0544
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..b419640
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..783b4c8
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat

similarity index 82%

rename from testing/tests/ikev2/alg-sha384/posttest.dat

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..4361417fd1df1686627e8a5dc2ced483a993c44b 100644 (file)
--- a/testing/tests/ikev2/alg-sha384/posttest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat
@@ -1,4 +1,5 @@
  moon::ipsec stop
  carol::ipsec stop
+alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat

new file mode 100644 (file)

index 0000000..012323f
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf

index 0d9e9f3d437913f8521bc332836a6a94db23a760..eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7 100644 (file)
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt

similarity index 99%

rename from testing/tests/swanctl/rw-eap-ttls-only/description.txt

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt

index 19c00531e484e640566b39f2ac3317e5231e42d8..3d4c3ab873425a90ec892a64ab4b580d5554e812 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-only/description.txt
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt
@@ -3,7 +3,7 @@ The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a sep
  authentication) with the gateway being authenticated by a server certificate during the
  EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
  authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
-<p/>
+<p/> 
  With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
  <b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
  sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat

similarity index 54%

rename from testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat

index 46d6be42a7f168c67a063ed9bf0778751387377f..a4b7d5812136bcaea5c1e0dae50e4472f5e3701c 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat
@@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0637de3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..0637de3
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..dd1524c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+   }
+ }
+}
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat

new file mode 100644 (file)

index 0000000..dccf854
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf

new file mode 100644 (file)

index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt

new file mode 100644 (file)

index 0000000..299106b
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat

similarity index 56%

rename from testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat

index df4f0d550875aa8afccbe63dcf00a5ab66277bf5..4be616469d8d46777c98aa17adc297fdfe2192fd 100644 (file)
--- a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat
@@ -10,8 +10,12 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..443332a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..443332a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9681551
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat

new file mode 100644 (file)

index 0000000..a6619d0
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat

new file mode 100644 (file)

index 0000000..c98e8ed
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf

similarity index 92%

rename from testing/tests/swanctl/rw-eap-peap-radius/test.conf

rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf

index 0e5512b655038f627d97147d23dc21852a74b066..20d5863094b871ee000fd4e7acadccad31ad31fa 100644 (file)
--- a/testing/tests/swanctl/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf
@@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt b/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt

new file mode 100644 (file)

index 0000000..47f6968
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat

similarity index 70%

rename from testing/tests/ikev2/alg-modp-subgroup/evaltest.dat

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat

index 8bcba9a3a51670bc3f4ce79486eb1ac12feb71f5..a5aa06be28a3ccdb578cd5c021f7a91cd0a5a048 100644 (file)
--- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat
@@ -1,15 +1,12 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES
  carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
  dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
  carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
  moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
-dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat

old mode 100755 (executable)

new mode 100644 (file)

similarity index 52%

rename from testing/tests/swanctl/rw-hash-and-url/pretest.dat

rename to testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat

index 3d37a86..ee5bc7c
--- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat
@@ -1,11 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
  moon::expect-connection rw
  carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::ipsec up home
  dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf

new file mode 100644 (file)

index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt b/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt

new file mode 100644 (file)

index 0000000..b4aaa6a
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat

new file mode 100644 (file)

index 0000000..0c8c311
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets

similarity index 100%

rename from testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets

rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..9555143
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat

new file mode 100644 (file)

index 0000000..ee5bc7c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf

new file mode 100644 (file)

index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/description.txt b/testing/tests/ikev2-stroke/virtual-ip/description.txt

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/description.txt

rename to testing/tests/ikev2-stroke/virtual-ip/description.txt
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke/virtual-ip/evaltest.dat

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/evaltest.dat

rename to testing/tests/ikev2-stroke/virtual-ip/evaltest.dat
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..93f4345
--- /dev/null
+++ b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/ipsec.conf

similarity index 100%

rename from testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf

rename to testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf

new file mode 100644 (file)

index 0000000..93f4345
--- /dev/null
+++ b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2-stroke/virtual-ip/posttest.dat b/testing/tests/ikev2-stroke/virtual-ip/posttest.dat

new file mode 100644 (file)

index 0000000..1865a1c
--- /dev/null
+++ b/testing/tests/ikev2-stroke/virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke/virtual-ip/pretest.dat b/testing/tests/ikev2-stroke/virtual-ip/pretest.dat

new file mode 100644 (file)

index 0000000..e87a8ee
--- /dev/null
+++ b/testing/tests/ikev2-stroke/virtual-ip/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/swanctl/rw-ntru-bliss/test.conf b/testing/tests/ikev2-stroke/virtual-ip/test.conf

similarity index 91%

rename from testing/tests/swanctl/rw-ntru-bliss/test.conf

rename to testing/tests/ikev2-stroke/virtual-ip/test.conf

index a542d037ed56442e8f40156a1baa17c18f2b041e..164b07ff9761f484661799c906b1a3792c30b9a5 100644 (file)
--- a/testing/tests/swanctl/rw-ntru-bliss/test.conf
+++ b/testing/tests/ikev2-stroke/virtual-ip/test.conf
@@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon alice"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/ikev2/acert-cached/description.txt b/testing/tests/ikev2/acert-cached/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 42f7432..d2bd6b5
--- a/testing/tests/ikev2/acert-cached/description.txt
+++ b/testing/tests/ikev2/acert-cached/description.txt
@@ -1,11 +1,11 @@
-<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
  To authorize clients, <b>moon</b> uses locally cached attribute certificates.
  While for <b>carol</b> a valid attribute certificate for the group <i>sales</i>
  is available, <b>dave</b>'s attribute certificates are either expired or
-do not grant permissions for the <i>sales</i> group.</p>
-<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
-to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
-to do so.</p>
+do not grant permissions for the <i>sales</i> group.
+<p/>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b>
+and <b>dave</b> try to ping the client <b>alice</b> behind the gateway <b>moon</b>,
+but dave fails to do so.
diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 6d6b1d9..c304d8a
--- a/testing/tests/ikev2/acert-cached/evaltest.dat
+++ b/testing/tests/ikev2/acert-cached/evaltest.dat
@@ -1,7 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*home.*state=INSTALLED.*::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*state=INSTALLED::NO
  moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
  dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f1c4ba6
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7fcdea8
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index fbffbad..0000000
--- a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       rightgroups=sales
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 6276b14..258d555
--- a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5eb12bf
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         groups = sales
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 43c6959..4055bc8
--- a/testing/tests/ikev2/acert-cached/posttest.dat
+++ b/testing/tests/ikev2/acert-cached/posttest.dat
@@ -1,11 +1,7 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::cd /etc/swanctl; rm rsa/* x509aa/* x509ac/*
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem
-moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem
-moon::rm /etc/ipsec.d/acerts/dave-marketing.pem
-moon::rm /etc/ipsec.d/private/aaKey.pem
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev2/acert-cached/pretest.dat
+++ b/testing/tests/ikev2/acert-cached/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/acert-cached/test.conf b/testing/tests/ikev2/acert-cached/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/acert-cached/test.conf
+++ b/testing/tests/ikev2/acert-cached/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/acert-fallback/description.txt b/testing/tests/ikev2/acert-fallback/description.txt

index 0008b105a90de4f1596b331466d6914ab1a0befe..ac9914fed6f405c8d89ffff5c5df2da4dad4bba0 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/description.txt
+++ b/testing/tests/ikev2/acert-fallback/description.txt
@@ -5,7 +5,7 @@ The authentication is based on <b>X.509 certificates</b>. To authorize clients,
  the <i>finance</i> groups. The attribute certificate for <i>finance</i> is not
  valid anymore, hence <b>carol</b> gets access to the <i>sales</i> connection
  only.</p>
-<p>Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+<p>Upon the successful establishment of the IPsec tunnel, the updown-script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> tries to ping both
  <b>alice</b> and <b>venus</b>, but only the ping for the <i>sales</i> related
diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat

index 8c4e9e2fc230ffca86668f41eb62e307ca744e34..0b48edef24855a6f01a82cde36f04f9f357d75fb 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/evaltest.dat
+++ b/testing/tests/ikev2/acert-fallback/evaltest.dat
@@ -1,6 +1,5 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
-moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.100/32]::YES
  moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES
  carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
  carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..ba2c31e550d66f2e4a65e0a9808eab2c6f9ac4ca 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..07e4050
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+        }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 37e779f..0000000
--- a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn finance
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.10/32
-       leftfirewall=yes
-       right=%any
-       rightid=*@strongswan.org
-       rightgroups=finance
-       keyexchange=ikev2
-       auto=add
-
-conn sales
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.20/32
-       leftfirewall=yes
-       right=%any
-       rightgroups=sales
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf

index 6276b14eeb7cccc18ebb3b017205b39510471fb9..78647e4c2354d4d24986a12058e890c60b327615 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 acert curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..decd9cb
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,46 @@
+connections {
+
+   finance {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         groups = finance
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128gcm128-x25519
+        }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         groups = sales
+      }
+      children {
+         venus {
+            esp_proposals = aes128gcm128-x25519
+            local_ts  = 10.1.0.20/32
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat

index b90119c6be8978c8a5fede4bc998204d4b8efc27..689d904dbcf0dba05cef5538d37c3e252f2d85af 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/posttest.dat
+++ b/testing/tests/ikev2/acert-fallback/posttest.dat
@@ -1,8 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-carol::rm /etc/ipsec.d/acerts/carol-sales.pem
-carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
-moon::rm /etc/ipsec.d/private/aaKey.pem
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::cd /etc/swanctl; rm rsa/* x509aa/*
+carol:: rm /etc/swanctl/x509ac/*
diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat

index 084516aa28150c101bd053ba46f6020128664a83..9a9d9c87e1de3fedbf422bb8e212fbea5eb28be9 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/pretest.dat
+++ b/testing/tests/ikev2/acert-fallback/pretest.dat
@@ -1,8 +1,6 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection finance
  moon::expect-connection sales
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/acert-fallback/test.conf b/testing/tests/ikev2/acert-fallback/test.conf

index a6c21de09b060ad3efd5f38e222995d0e7418878..65dc3537456c43e5c37e69f144cd7bcaa629a8f2 100644 (file)
--- a/testing/tests/ikev2/acert-fallback/test.conf
+++ b/testing/tests/ikev2/acert-fallback/test.conf
@@ -5,17 +5,20 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
  
  # Corresponding block diagram
  #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/acert-inline/description.txt b/testing/tests/ikev2/acert-inline/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 948b847..d2bd6b5
--- a/testing/tests/ikev2/acert-inline/description.txt
+++ b/testing/tests/ikev2/acert-inline/description.txt
@@ -1,12 +1,11 @@
-<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-To authorize clients, <b>moon</b> expects attribute certificates sent inline in
-IKEv2 CERT payloads. <b>Carol</b> provides a valid attribute certificate for
-the group <i>sales</i>, but <b>dave</b> offers two invalid attribute
-certificates: One is not for the <i>sales</i> group, and the other is issued by
-an AA that has been expired.</p>
-<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
-to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
-to do so.</p>
+To authorize clients, <b>moon</b> uses locally cached attribute certificates.
+While for <b>carol</b> a valid attribute certificate for the group <i>sales</i>
+is available, <b>dave</b>'s attribute certificates are either expired or
+do not grant permissions for the <i>sales</i> group.
+<p/>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b>
+and <b>dave</b> try to ping the client <b>alice</b> behind the gateway <b>moon</b>,
+but dave fails to do so.
diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index cf0e7be..ac30652
--- a/testing/tests/ikev2/acert-inline/evaltest.dat
+++ b/testing/tests/ikev2/acert-inline/evaltest.dat
@@ -1,7 +1,7 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*home.*state=INSTALLED.*::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*state=INSTALLED::NO
  moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
  carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES
  dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f1c4ba6
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 65c9819..0000000
--- a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7fcdea8
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e3abea5..0000000
--- a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       rightgroups="finance, sales"
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 6276b14..258d555
--- a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..cba80fc
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         groups = finance,sales
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bd2272b..9dcba15
--- a/testing/tests/ikev2/acert-inline/posttest.dat
+++ b/testing/tests/ikev2/acert-inline/posttest.dat
@@ -1,13 +1,9 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::cd /etc/swanctl; rm rsa/* x509aa/*
+carol::rm /etc/swanctl/x509ac/*
+dave::rm /etc/swanctl/x509ac/*
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-carol::rm /etc/ipsec.d/acerts/carol-sales.pem
-dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem
-dave::rm /etc/ipsec.d/acerts/dave-marketing.pem
-moon::rm /etc/ipsec.d/private/aaKey-expired.pem
-moon::rm /etc/ipsec.d/private/aaKey.pem
-moon::rm /etc/ipsec.d/aacerts/aaCert-expired.pem
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev2/acert-inline/pretest.dat
+++ b/testing/tests/ikev2/acert-inline/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/acert-inline/test.conf b/testing/tests/ikev2/acert-inline/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/acert-inline/test.conf
+++ b/testing/tests/ikev2/acert-inline/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/after-2038-certs/description.txt b/testing/tests/ikev2/after-2038-certs/description.txt

index fb622dc15007092738c414c06146ec18aa1ce501..1d6b911b934f58059fbc81999c314b23d4473a2f 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/description.txt
+++ b/testing/tests/ikev2/after-2038-certs/description.txt
@@ -1,13 +1,13 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
  The authentication is based on <b>X.509 certificates</b> that are valid until
-the year 2039 and are issued by a certification authority with a root ca 
+the year 2039 and are issued by a certification authority with a root ca
  certificate valid until the year 2059. On 32-bit platforms, dates after
  Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
  Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
  dates contained in the certificates are set to the maximum value,
  i.e. to Jan 19 03:14:07 UTC 2038.
-
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
  behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat

index 8c2c078bda7b546ceae349f1221f289a1e71ee7c..69c51d023be95d2fe34e4542893efc513922edf3 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/evaltest.dat
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -1,8 +1,5 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..8f8fbdfa76a75e11327a846c50f1b52e6760e530 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..454213d
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128gcm16-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 1ee7513..0000000
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..8f8fbdfa76a75e11327a846c50f1b52e6760e530 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..491e655
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/10
+            esp_proposals = aes128gcm16-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..adbfd8f247b3d477858792d79ec69562ff4cda45 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/posttest.dat
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -1,4 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat

index e34f702774cb13b083ed4e9cdf73a25c95810624..1cf07245b02327d7604a6f19c93846e8c1e15414 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -1,7 +1,5 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..7229b10c234b66534bdf751deb1c5fdc78395343 100644 (file)
--- a/testing/tests/ikev2/after-2038-certs/test.conf
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -5,7 +5,7 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
  
  # Corresponding block diagram
  #
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/alg-3des-md5/description.txt b/testing/tests/ikev2/alg-3des-md5/description.txt

deleted file mode 100644 (file)

index 4c39d0b..0000000
--- a/testing/tests/ikev2/alg-3des-md5/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat

deleted file mode 100644 (file)

index 00465c2..0000000
--- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
-moon:: ip xfrm state::enc cbc(des3_ede)::YES
-carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth-trunc hmac(md5)::YES
-carol::ip xfrm state::auth-trunc hmac(md5)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 1be5f1d..0000000
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=3des-md5-modp1024!
-       esp=3des-md5-modp1024!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 2c4f3fc..0000000
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e961f08..0000000
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=3des-md5-modp1024!
-       esp=3des-md5-modp1024!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 66ff246..0000000
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt

deleted file mode 100644 (file)

index 569504a..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-curve25519</b>
-(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-curve25519</b> in ipsec.conf, respectively.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat

deleted file mode 100644 (file)

index 447445b..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
-moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
-carol::ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
-moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
-carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index c7218e4..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128ccm96-aesxcbc-x25519!
-       esp=aes128ccm96-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index eb329f2..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index fdffa0f..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128ccm12-aesxcbc-x25519!
-       esp=aes128ccm12-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index ffe6974..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt

deleted file mode 100644 (file)

index 1ac6b4c..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-curve25519</b>
-and <b>esp=aes128ctr-aesxcbc-curve25519</b> in ipsec.conf, respectively.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat

deleted file mode 100644 (file)

index 1bbaacf..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
-moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
-carol::ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::rfc3686(ctr(aes))::YES
-carol::ip xfrm state::rfc3686(ctr(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
-
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index b5aabdd..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128ctr-aesxcbc-x25519!
-       esp=aes128ctr-aesxcbc-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index c6ef5d7..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 650b346..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128ctr-aesxcbc-x25519!
-       esp=aes128ctr-aesxcbc-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 3ec3f00..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt

deleted file mode 100644 (file)

index ccf32fc..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-curve25519</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-curve25519</b> in ipsec.conf,
-respectively.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat

deleted file mode 100644 (file)

index 487928c..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index c6bc925..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256gcm128-aesxcbc-x25519!
-       esp=aes256gcm128-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7cb4496..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 1597aae..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256gcm16-aesxcbc-x25519!
-       esp=aes256gcm16-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 35d3c19..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt

deleted file mode 100644 (file)

index d69d3d0..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / AES_XCBC_96</b> by defining <b>esp=aes128-aesxcbc-curve25519!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat

deleted file mode 100644 (file)

index 42bf076..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
-carol::ip xfrm state::auth-trunc xcbc(aes)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 93bafce..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-aesxcbc-x25519!
-       esp=aes128-aesxcbc-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index ce99647..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 13a1798..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-aesxcbc-x25519!
-       esp=aes128-aesxcbc-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 69f188e..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat

deleted file mode 100644 (file)

index 106087b..0000000
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
-
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 7456a9d..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=blowfish256-sha512-modp2048!
-       esp=blowfish192-sha256!
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 99d3c61..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-  syslog {
-    daemon {
-      cfg = 2
-    }
-  }
-}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index df3242d..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=blowfish128-sha256-modp1536!
-       esp=blowfish128-sha1!
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index a3c9999..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 3c0578d..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-       esp=blowfish192-sha256,blowfish128-sha1!
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 99a0e89..0000000
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
-  syslog {
-    daemon {
-      cfg = 2
-    }
-  }
-}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/description.txt b/testing/tests/ikev2/alg-chacha20poly1305/description.txt

deleted file mode 100644 (file)

index a808c4b..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>CHACHA20_POLY1305</b> both for IKE and ESP by defining
-<b>ike=chacha20poly1305-prfsha256-ntru256</b> and
-<b>esp=chacha20poly1305-ntru256</b> in ipsec.conf, respectively.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat

deleted file mode 100644 (file)

index ac29c66..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES
-moon:: ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES
-carol::ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES
-moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
-carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index eebbaa1..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=chacha20poly1305-prfsha256-ntru256!
-       esp=chacha20poly1305-ntru256!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 9128a62..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce chapoly aes sha1 sha2 md5 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
-  send_vendor_id = yes
-}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index b0b5763..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-        ike=chacha20poly1305-prfsha256-ntru256!
-        esp=chacha20poly1305-ntru256!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index ab04e14..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce chapoly aes sha1 sha2 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
-  send_vendor_id = yes 
-}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/test.conf b/testing/tests/ikev2/alg-chacha20poly1305/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-chacha20poly1305/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 84c9c8c..0000000
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160!
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3f13273..0000000
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 5402f24..0000000
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256!
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 84b3d68..0000000
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160!
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index be00a11..0000000
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-sha256-96/description.txt b/testing/tests/ikev2/alg-sha256-96/description.txt

deleted file mode 100644 (file)

index 9e5321e..0000000
--- a/testing/tests/ikev2/alg-sha256-96/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_96</b> which uses 96 bit instead of the 
-standard 128 bit truncation, allowing compatibility with Linux kernels older than 2.6.33 
-by defining <b>esp=aes128-sha256_96-curve25519!</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat

deleted file mode 100644 (file)

index 42e7b93..0000000
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
-carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
-carol::ip xfrm state::auth-trunc hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6a1a1ad..0000000
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=aes128-sha256_96-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 41919c8..0000000
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=aes128-sha256_96-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/description.txt b/testing/tests/ikev2/alg-sha256/description.txt

deleted file mode 100644 (file)

index f7e5391..0000000
--- a/testing/tests/ikev2/alg-sha256/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-curve25519!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat

deleted file mode 100644 (file)

index f47852b..0000000
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
-carol::ip xfrm state::auth-trunc hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index b3548db..0000000
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=aes128-sha256-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index da8bff0..0000000
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=aes128-sha256-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/description.txt b/testing/tests/ikev2/alg-sha384/description.txt

deleted file mode 100644 (file)

index f96ea5c..0000000
--- a/testing/tests/ikev2/alg-sha384/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-curve25519!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat

deleted file mode 100644 (file)

index 56d862e..0000000
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
-carol::ip xfrm state::auth-trunc hmac(sha384)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e9122d4..0000000
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes192-sha384-x25519!
-       esp=aes192-sha384-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e4b5273..0000000
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes192-sha384-x25519!
-       esp=aes192-sha384-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/description.txt b/testing/tests/ikev2/alg-sha512/description.txt

deleted file mode 100644 (file)

index bf79a3b..0000000
--- a/testing/tests/ikev2/alg-sha512/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
-in ipsec.conf. The same cipher suite is used for IKE.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat

deleted file mode 100644 (file)

index 0b2a71a..0000000
--- a/testing/tests/ikev2/alg-sha512/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
-carol::ip xfrm state::auth-trunc hmac(sha512)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 13ab244..0000000
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3f13273..0000000
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e6d4104..0000000
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index be00a11..0000000
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat

index 843326ecc6e33738f90b9bbf4d5bbf782397791f..7ac691a29f7a998eaa3f62d1efa0b5c6a07c1907 100644 (file)
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -1,7 +1,5 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
  moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
  moon:: ip xfrm state::proto comp spi::YES
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 7880989..0000000
--- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       compress=yes
-       leftfirewall=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..fbd4e38
--- /dev/null
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256-x25519
+            ipcomp = yes
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 718b3c8..0000000
--- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       compress=yes
-       leftfirewall=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..3614716
--- /dev/null
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-x25519
+            ipcomp = yes
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/ikev2/compress/posttest.dat
+++ b/testing/tests/ikev2/compress/posttest.dat
@@ -1,4 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat

index 5536d2803aa5bfd74c258302d21ccf27f6faf6f7..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,7 +1,5 @@
-carol::iptables-restore < /etc/iptables.rules
-moon::iptables-restore < /etc/iptables.rules
-carol::ipsec start
-moon::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf

index d7b71426cf43cf00598fede7f6f1832a1f8e98eb..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon"
  #
  IPSECHOSTS="moon carol"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/config-payload/description.txt b/testing/tests/ikev2/config-payload/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 7690e7d..57134ca
--- a/testing/tests/ikev2/config-payload/description.txt
+++ b/testing/tests/ikev2/config-payload/description.txt
@@ -1,7 +1,10 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
-tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
-<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
-and <b>dave1</b>, respectively.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to
+test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind
+the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual
+IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 9471f88..1cc8d82
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -1,26 +1,16 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..ad4c18e
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/config-payload/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..ad4c18e
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/config-payload/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index b8817fe..ad4c18e
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5b4f021
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol_vip
+
+      remote {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave_vip
+
+      remote {
+         auth = pubkey
+         id = dave@strongswan.org
+      }
+   }
+
+}
+
+pools {
+
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+
+   dave_vip {
+      addrs = 10.3.0.2
+   }
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf

rename to testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev2/config-payload/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bdbe341..28f600c
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -1,11 +1,12 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-carol
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev2/config-payload/test.conf
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt

index 8c0d37c8881623e18ecf2a103e9badafd58a6e67..4f472b83b603f08e3ffb4c0040f4e8ff6a649232 100644 (file)
--- a/testing/tests/ikev2/critical-extension/description.txt
+++ b/testing/tests/ikev2/critical-extension/description.txt
@@ -1,5 +1,5 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
  extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
  <b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat

index 900cc06dbb16707c8926d900e696aaaa7e4551f3..a2e3861c50700a310fcb1b672d096d8fb778afab 100644 (file)
--- a/testing/tests/ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/ikev2/critical-extension/evaltest.dat
@@ -1,8 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
  moon::cat /var/log/daemon.log::sending end entity cert::YES
  moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
  sun:: cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.pem' failed::YES
+sun:: cat /var/log/daemon.log::loading '/etc/swanctl/x509/sunCert.pem' failed::YES
  sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 3854859..0000000
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf

index 448093f9f5518cb6c16efd4229fbfd7defbf3348..48206447041affb7e0d5853a13f1f952b80c813b 100644 (file)
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    multiple_authentication = no
-  
+
    x509 {
      enforce_critical = no
    }
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..40ac707
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 13860bd..0000000
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf

index dbcb7a368fdc578b9f969cb317928ec4fb6046de..c9495c696858d666f09fa2504cf973ab218dd3e2 100644 (file)
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    multiple_authentication = no
-}
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..2740c14
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+             esp_proposals = aes128gcm128-curve25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat

index 837738fc6ac7661098219147901d0be4dbfa24f2..4ee2ed67190b99323fa4d9cca62182a642c75d73 100644 (file)
--- a/testing/tests/ikev2/critical-extension/posttest.dat
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -1,5 +1,2 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat

index 08ca6b54cdc7c224ba27611d2fe499dce2c7dfbd..bcc06dbccb6d4d090d16b250eae65aa2fcb899f9 100644 (file)
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -1,7 +1,5 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf

index b286ef6eba0e9397e35d6f41de44ceaebcee63cd..d3016a886c1f0ad2d7391506671cb5a80bfbd531 100644 (file)
--- a/testing/tests/ikev2/critical-extension/test.conf
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS=""
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/crl-ldap/description.txt b/testing/tests/ikev2/crl-ldap/description.txt

index 46e7a69619b8c3fbbf33510792097d163fdc3f83..c8827bd7913e91e573af519d554b6df16bb699a8 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/description.txt
+++ b/testing/tests/ikev2/crl-ldap/description.txt
@@ -1,6 +1,7 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+By setting <b>revocation = strict</b> a <b>strict CRL policy</b> is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
+the connection and only an expired CRL cache file in <b>/etc/swanctl/x509crl</b> is
  available, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
  successfully started and the IKE authentication completes. The new CRL is again
-cached locally as a file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
+cached locally as a file in <b>/etc/swanctl/x509crl</b> due to the <b>cache_crls = yes</b>
+option in <b>/etc/strongswan.conf</b>.
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat

index b0774c64ddbb3794e5334d64bb479ed960a82e3a..9f15796aac9ec787654f2f9915d591d9e79eabba 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,11 +1,11 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::loaded crl from::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sa --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl/stale.crl::YES
  moon:: cat /var/log/daemon.log::crl is stale::YES
  moon:: cat /var/log/daemon.log::fetching crl from.*ldap::YES
  moon:: cat /var/log/daemon.log::crl is valid::YES
  moon:: cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::loaded crl from::YES
+carol::cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl/stale.crl::YES
  carol::cat /var/log/daemon.log::crl is stale::YES
  carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
  carol::cat /var/log/daemon.log::crl is valid::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 1c9a7c4..0000000
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-       cachecrls=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=2
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf

index a9c6e8d4e6dec049eccbf247f653bf28e8216663..6e553f20233042b38e36985e12e2904c9a609069 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici
+
+  cache_crls = yes
  }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..af0c568
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+authorities {
+   strongswan {
+      cacert = strongswanCert.pem
+      crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList'
+   }
+}
+
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 57fb7dd..0000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-       cachecrls=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=2
-       keyexchange=ikev2
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules

deleted file mode 100644 (file)

index debcc21..0000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow ldap crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf

index a9c6e8d4e6dec049eccbf247f653bf28e8216663..6e553f20233042b38e36985e12e2904c9a609069 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici
+
+  cache_crls = yes
  }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..04c2611
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+authorities {
+   strongswan {
+      cacert = strongswanCert.pem
+      crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList'
+   }
+}
+
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat

index 8474bd3aace8a2340e6aeaf819bb8787bf4c3c13..f97a66b33ecccc873dcfc01e230465c04d3f110e 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/posttest.dat
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -1,7 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
-winnetou::/etc/init.d/slapd stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat

index 6cb50d7e0f532d096a0941d0e43891a0c507c0c7..663484ff0e5726e706fbc6e66062e847894097d4 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -1,8 +1,6 @@
  winnetou::/etc/init.d/slapd start
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/crl-ldap/test.conf
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/crl-revoked/description.txt b/testing/tests/ikev2/crl-revoked/description.txt

index b39c59c974b79cc37c52e33c1760f0c5160fc6e6..0559bd1656f257d4bfbb9f81b1f244a9359f53eb 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/description.txt
+++ b/testing/tests/ikev2/crl-revoked/description.txt
@@ -1,4 +1,4 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+By setting <b>revocation = strict</b> a <b>strict CRL policy</b> is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
  initiates the connection and presents a certificate that has been revoked by the
-current CRL causing the IKE negotiation to fail. 
+current CRL causing the IKE negotiation to fail.
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat

index 4f3e10ba179056aeac3e319c97c6c443cef2a6be..6c30744e853f2e2df50e79a1b4b2016321ceaa29 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,4 +1,4 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
  moon:: cat /var/log/daemon.log::certificate was revoked::YES
  carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index fa67815..0000000
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..3388bdc
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 918d974..0000000
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b86e0cf
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,22 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/crl-revoked/posttest.dat b/testing/tests/ikev2/crl-revoked/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..79ad33de60f3f24a04ca8a0371a182e82bbd90db 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/posttest.dat
+++ b/testing/tests/ikev2/crl-revoked/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..1cf07245b02327d7604a6f19c93846e8c1e15414 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/pretest.dat
+++ b/testing/tests/ikev2/crl-revoked/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/crl-revoked/test.conf
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/crl-to-cache/description.txt b/testing/tests/ikev2/crl-to-cache/description.txt

index 9f542e73d5b9d7618d677e733f2e49f29117162c..0e6f1cbd697ecd3a9c165587f6dbc9ed28174230 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/description.txt
+++ b/testing/tests/ikev2/crl-to-cache/description.txt
@@ -1,6 +1,8 @@
-By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
-via http from the web server <b>winnetou</b> is saved locally in the
-directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
-and the gateway <b>moon</b> when the IPsec connection is set up. The
-<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
-is used as a unique filename for the cached CRL. 
+By setting <b>cache_crls = yes</b> in <b>/etc/strongswan.conf</b>, a copy of
+both the <b>base CRL</b> and the latest <b>delta CRL</b> fetched via http from
+the web server <b>winnetou</b> is saved locally in the directory
+<b>/etc/swanctl/x509crl</b> on both the roadwarrior <b>carol</b> and the
+gateway <b>moon</b> when the IPsec connection is set up.
+The <b>subjectKeyIdentifier</b> of the issuing CA plus the suffixes
+<b>.crl</b> and <b>_delta.crl</b> are used as unique filename for the
+cached <b>base CRL</b> and <b>delta CRL</b>, respectively.
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat

index f7417da6d9c17b80d7a6475c55dcb338dbe0d198..91e34578f809c62b76cc0386cf662fa4af10b450 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,8 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
+carol::cat /var/log/daemon.log::certificate was revoked::YES
+carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 17a5854..0000000
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-       cachecrls=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..48e34abba3a76c25e35e17f48dc800abd9129b3e 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  cache_crls = yes
  }
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index d2137d9..0000000
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf

index 82118b4101a41a1397511536f36671c821e85a5f..48e34abba3a76c25e35e17f48dc800abd9129b3e 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  
    cache_crls = yes
  }
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/crl-to-cache/posttest.dat b/testing/tests/ikev2/crl-to-cache/posttest.dat

index be17847c13b1c6ca9c27343b9850981a1e6d2e7d..f97a66b33ecccc873dcfc01e230465c04d3f110e 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/posttest.dat
+++ b/testing/tests/ikev2/crl-to-cache/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*
diff --git a/testing/tests/ikev2/crl-to-cache/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..1cf07245b02327d7604a6f19c93846e8c1e15414 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/pretest.dat
+++ b/testing/tests/ikev2/crl-to-cache/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/crl-to-cache/test.conf
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/dhcp-dynamic/description.txt b/testing/tests/ikev2/dhcp-dynamic/description.txt

index b29a1de78f603c88c71a2305e9886813eb1d6375..bef542371423a4e77c638136411329ee04579198 100644 (file)
--- a/testing/tests/ikev2/dhcp-dynamic/description.txt
+++ b/testing/tests/ikev2/dhcp-dynamic/description.txt
@@ -1,5 +1,5 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips=0.0.0.0</b>
  parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS server
  information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned dynamically
  by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that <b>carol</b> and <b>dave</b> become full members
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat

index 0c4914f14a8d25c40d74ede45128bae5e3eae9b8..aa62bcec4699bf37c32ef712ed0b66c5d7d5fc34 100644 (file)
--- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -1,15 +1,11 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.51/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..9932df3
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..9932df3
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c4a0ff8..c00d3dc
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
  
    plugins {
      dhcp {
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat

index 60be3f95ce4fb7042f0cd1470bfd2fa728b9f689..d258f1e3848716eb076cea74b4bad7cbc49f01b9 100644 (file)
--- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  venus::cat /var/lib/dhcp/dhcpd.leases
  venus::service isc-dhcp-server stop 2> /dev/null
  venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat

index ff3c04b8185797e47b79df2fde161e3a10a5d140..d8c1191cd4434b0db44153ba80ec86fb7d90c6d7 100644 (file)
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -3,11 +3,11 @@ carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
  venus::cat /etc/dhcp/dhcpd.conf
  venus::service isc-dhcp-server start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf

index fd8a59c90c551dfcca5b0450276b4e97f6078738..853093c96bfe1c2915d00593f53d347c6d6c940f 100644 (file)
--- a/testing/tests/ikev2/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a774f2a..0000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-
-conn rw
-       right=%any
-       rightsourceip=%dhcp
-       auto=add
diff --git a/testing/tests/ikev2/double-nat-net/description.txt b/testing/tests/ikev2/double-nat-net/description.txt

index ff09155f6ebad40a1888352abbb7742a5f5af373..19fcf274ef6043bdcae0e0eff1aa4d67672c9a29 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/description.txt
+++ b/testing/tests/ikev2/double-nat-net/description.txt
@@ -1,7 +1,9 @@
  The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
  tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
  directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
-using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test the double NAT-ed IPsec
-tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
+using destination NAT. UDP encapsulation is used to traverse the NAT routers.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the double NAT-ed IPsec tunnel <b>alice</b> pings the inner IP address
+of the router <b>sun</b>.
+\ No newline at end of file
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat

index af29ce7b998edc6a46d04f4191762dd1676a9f6f..c46b138cb53cb4e9e9e012321a5473c8e5e21de3 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,7 +1,5 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
-bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+bob::  swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
  alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf

deleted file mode 100644 (file)

index 38629d1..0000000
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-               
-conn nat-t
-       left=%defaultroute
-       leftcert=aliceCert.pem
-       leftid=alice@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=bob@strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..1d3d753
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      remote_addrs = sun.strongswan.org
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = bob@strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf

deleted file mode 100644 (file)

index 1c4a807..0000000
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn nat-t
-       left=%defaultroute
-       leftsubnet=10.2.0.0/16
-       leftcert=bobCert.pem
-       leftid=bob@strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..16e2b51
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   nat-t {
+
+      local {
+         auth = pubkey
+         certs = bobCert.pem
+         id = bob@strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat

index ec663e70d9f58d60268d7428407cc897b8bfe752..5eee039227be5d7f751ae4919bae541d2353d3a4 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -1,5 +1,5 @@
-bob::ipsec stop
-alice::ipsec stop
+bob::systemctl stop strongswan
+alice::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  bob::iptables-restore < /etc/iptables.flush
  moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat

index e58c23480ea719f1fc51684ebd8e80e2fd47ae7f..09dbe38c6d87969f36ff55b040abf353afe8ec9a 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -5,8 +5,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
  sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
  sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
  sun::ip route add 10.1.0.0/16 via PH_IP_BOB
-alice::ipsec start
-bob::ipsec start
+bob::systemctl start strongswan
+alice::systemctl start strongswan
  bob::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf

index d2e31d257a23fb35de55bff773b745e923922bfc..33e1825b8499d658ca0207e5c14a8448079881e3 100644 (file)
--- a/testing/tests/ikev2/double-nat-net/test.conf
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice bob"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/double-nat/description.txt b/testing/tests/ikev2/double-nat/description.txt

index ce7de0e56c8f715ffec4146fcb40510db8b6983c..1f2a6b734aa3398fe8d8856892f8e4849452e53a 100644 (file)
--- a/testing/tests/ikev2/double-nat/description.txt
+++ b/testing/tests/ikev2/double-nat/description.txt
@@ -1,5 +1,7 @@
  The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
  the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to
-traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based
-firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec
-tunnel <b>alice</b> pings <b>bob</b>.
+traverse the NAT routers.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the double NAT-ed IPsec tunnel <b>alice</b> pings <b>bob</b>.
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat

index 903226706e344a472d272d4a7ba89ed5a19c68f7..b272d22960ffc9a8c2d7e12465cf15cb050c8d56 100644 (file)
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,7 +1,5 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
-bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.10/32]::YES
+bob::  swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.10/32] remote-ts=\[10.1.0.10/32]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf

deleted file mode 100644 (file)

index fe5b5f2..0000000
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-               
-conn nat-t
-       left=%defaultroute
-       leftcert=aliceCert.pem
-       leftid=alice@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=bob@strongswan.org
-       rightsubnet=PH_IP_BOB/32
-       auto=add
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..5fab3c7
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      remote_addrs = sun.strongswan.org
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = bob@strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.10
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf

deleted file mode 100644 (file)

index 1004ee9..0000000
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn nat-t
-       left=%defaultroute
-       leftcert=bobCert.pem
-       leftid=bob@strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e3d00a1
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   nat-t {
+
+      local {
+         auth = pubkey
+         certs = bobCert.pem
+         id = bob@strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat

index f434b336c25aa80721dd3347c67d7faef1d1e6bc..7445fb4595f8b13ebe3968e979576c114f8fae18 100644 (file)
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -1,5 +1,5 @@
-bob::ipsec stop
-alice::ipsec stop
+bob::systemctl stop strongswan
+alice::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  bob::iptables-restore < /etc/iptables.flush
  moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat

index 6f74000b538f9eda7decade5bd2e32f94eb22cd1..5376a59ed8b2e9a0179bb8b0bc44bafddee957d2 100644 (file)
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -4,8 +4,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
  sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
  sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
-alice::ipsec start
-bob::ipsec start
+bob::systemctl start strongswan
+alice::systemctl start strongswan
  bob::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf

index d2e31d257a23fb35de55bff773b745e923922bfc..33e1825b8499d658ca0207e5c14a8448079881e3 100644 (file)
--- a/testing/tests/ikev2/double-nat/test.conf
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice bob"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt

index 0fb2f106492e319a802c4385056e3feaa59c8140..19cc5646c0aba46cc32d136294b67be7ebe1b412 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/description.txt
+++ b/testing/tests/ikev2/dpd-clear/description.txt
@@ -2,4 +2,3 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <
  which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
  When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
  <b>moon</b> clears the connection after a number of unsuccessful retransmits.
-
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat

index 2071e8fc84d50e92c79b66ce855a9500048ed96f..5870b1117236628585c46fb9b0d7d0d7e8e50ae5 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -1,8 +1,8 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  moon:: sleep 13::no output expected::NO
  moon:: cat /var/log/daemon.log::sending DPD request::YES
  moon:: cat /var/log/daemon.log::retransmit.*of request::YES
  moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..a46e037
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6ca9db7
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+            dpd_action = clear
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+      dpd_delay = 10
+   }
+}
diff --git a/testing/tests/ikev2/dpd-clear/posttest.dat b/testing/tests/ikev2/dpd-clear/posttest.dat

index 931db4272eabe52c0cc6931ac28fb394ccc15dc1..617eff3d7b43f368fdf3553699c66cfa06851cd4 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/posttest.dat
+++ b/testing/tests/ikev2/dpd-clear/posttest.dat
@@ -1,3 +1,3 @@
  carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/pretest.dat
+++ b/testing/tests/ikev2/dpd-clear/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/dpd-clear/test.conf
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 75b377f..0000000
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       dpdaction=clear
-       dpddelay=10
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dpd-hold/posttest.dat b/testing/tests/ikev2/dpd-hold/posttest.dat

deleted file mode 100644 (file)

index c6d6235..0000000
--- a/testing/tests/ikev2/dpd-hold/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev2/dpd-restart/description.txt b/testing/tests/ikev2/dpd-restart/description.txt

index 410d3d636ff3e428eebbea6041da55e4afa9dfbe..4c3e027d43a4dcb8da26d8d42643b66dd6abe264 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/description.txt
+++ b/testing/tests/ikev2/dpd-restart/description.txt
@@ -1,7 +1,7 @@
  The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
  <b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
  polling interval of 10 s. When the network connectivity between <b>carol</b>
-and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
-clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
-also takes down the connection but immediately tries to reconnect which succeeds
-as soon as the connection becomes available again.
+and <b>moon</b> is forcefully disrupted, <b>moon</b> clears the connection after
+some unsuccessful retransmits whereas <b>carol</b> also takes down the connection
+but immediately tries to reconnect which succeeds as soon as the connection
+becomes available again.
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat

index 25c54df955cdc53b753d57523b7d8299e4de8120..1a7d1b110fc9c2a5a1461607bc1e60786d21dbb9 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
  carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  carol::sleep 13::no output expected::NO
@@ -9,5 +9,5 @@ carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
  carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
  moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
  carol::sleep 2::no output expected::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index dfc77a4..0000000
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       dpdaction=restart
-       dpddelay=10
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4444f6d
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128gcm16-x25519
+            dpd_action = restart
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+      dpd_delay = 10
+   }
+}
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 75b377f..0000000
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       dpdaction=clear
-       dpddelay=10
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d42a9804c864892ded2cd178093b52b49ba508cc 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7aebd8f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128gcm128-x25519
+            dpd_action = clear
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+      dpd_delay = 5
+   }
+}
diff --git a/testing/tests/ikev2/dpd-restart/posttest.dat b/testing/tests/ikev2/dpd-restart/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..ec5d4c48ad60df57caeb2ee67bcf6b501613f8eb 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/posttest.dat
+++ b/testing/tests/ikev2/dpd-restart/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/pretest.dat
+++ b/testing/tests/ikev2/dpd-restart/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/dpd-restart/test.conf
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 3e441b2..58517d6
--- a/testing/tests/ikev2/dynamic-initiator/description.txt
+++ b/testing/tests/ikev2/dynamic-initiator/description.txt
@@ -1,12 +1,12 @@
-The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=&lt;hostname&gt;</b>. The IKE daemon resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the
+<b>remote_addrs</b> field contains a <b>Fully Qualified Domain Name</b> (FQDN) which
+is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry).
+This will allow an IKE_SA rekeying to arrive from an arbitrary IP address
+under the condition that the peer identity remains unchanged. When this happens
  the old tunnel is replaced by an IPsec connection to the new origin.
  <p>
-In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
-suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
-old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some
+time <b>carol</b> suddenly changes her IP address and restarts the connection to
+<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking
+IKE packets to and from <b>carol</b> and starting the connection from host <b>dave</b>
+using <b>carol</b>'s identity).
diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 43ccdda..6836543
--- a/testing/tests/ikev2/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
@@ -1,9 +1,7 @@
-carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
-moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES
+moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for peer.*carol@strongswan.org.*, received INITIAL_CONTACT::YES
  moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6fca045..0000000
--- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..08b4b1a
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 6fca045..0000000
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 6a2aea8..0000000
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..08b4b1a
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   moon {
+      remote_addrs = moon.strongswan.org
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         moon {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 2e5f01a..0000000
--- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn carol
-       left=%any
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=%carol.strongswan.org
-       rightid=carol@strongswan.org
-       rightsourceip=PH_IP_CAROL1
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..db4fd85
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   carol {
+      remote_addrs = carol.strongswan.org
+      pools = carol_vip
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         carol {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+      unique = replace
+   }
+}
+
+pools {
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 715bb94..784b258
--- a/testing/tests/ikev2/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -1,8 +1,5 @@
-dave::ipsec stop
-carol::ipsec stop
-moon::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
-dave::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/private/*
+dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 18cbc45..704e1f1
--- a/testing/tests/ikev2/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -1,13 +1,12 @@
-moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection carol
  carol::expect-connection moon
-carol::ipsec up moon
+carol::swanctl --initiate --child moon 2> /dev/null
  carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
  carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts
  dave::expect-connection moon
-dave::ipsec up moon
+dave::swanctl --initiate --child moon 2> /dev/null
diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..37c3b73
--- a/testing/tests/ikev2/dynamic-initiator/test.conf
+++ b/testing/tests/ikev2/dynamic-initiator/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="alice"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/dynamic-two-peers/description.txt b/testing/tests/ikev2/dynamic-two-peers/description.txt

deleted file mode 100644 (file)

index a161601..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
-so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
-The ipsec starter resolves the fully-qualified hostname into the current IP address
-via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
-expected to change over time, the prefix '%' is used as an implicit alternative to the
-explicit <b>rightallowany=yes</b> option which will allow an IKE_SA rekeying to arrive
-from an arbitrary IP address under the condition that the peer identity remains unchanged.
-When this happens the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
-<b>moon</b> which has a named connection definition for each peer. Although
-the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
-the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
-
diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat

deleted file mode 100644 (file)

index 6666054..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6fca045..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn moon 
-       left=%any
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 6493ce0..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn moon
-       left=%any
-       leftsourceip=%config
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=%moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale

deleted file mode 100644 (file)

index ebff4ec..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale
+++ /dev/null
@@ -1,67 +0,0 @@
-# /etc/hosts:  This file describes a number of hostname-to-address
-#              mappings for the TCP/IP subsystem.  It is mostly
-#              used at boot time, when no name servers are running.
-#              On small systems, this file can be used instead of a
-#              "named" name server.  Just add the names, addresses
-#              and any aliases to this file...
-#
-
-127.0.0.1      localhost
-
-192.168.0.254  uml0.strongswan.org     uml0
-10.1.0.254     uml1.strongswan.org     uml1
-10.2.0.254     uml1.strongswan.org     uml2
-
-10.1.0.10      alice.strongswan.org    alice
-10.1.0.20      venus.strongswan.org    venus
-10.1.0.1       moon1.strongswan.org    moon1
-192.168.0.1    moon.strongswan.org     moon
-192.168.0.110  carol.strongswan.org    carol
-10.3.0.1       carol1.strongswan.org   carol1
-192.168.0.150  winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
-192.168.0.220  dave.strongswan.org     dave
-10.3.0.2       dave1.strongswan.org    dave1
-192.168.0.2    sun.strongswan.org      sun
-10.2.0.1       sun1.strongswan.org     sun1
-10.2.0.10      bob.strongswan.org      bob
-
-# IPv6 versions of localhost and co
-::1 ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
-
-# IPv6 solicited-node multicast addresses
-ff02::1:ff00:1 ip6-mcast-1
-ff02::1:ff00:2 ip6-mcast-2
-ff02::1:ff00:10        ip6-mcast-10
-ff02::1:ff00:15        ip6-mcast-15
-ff02::1:ff00:20        ip6-mcast-20
-
-# IPv6 site-local addresses
-fec1::10       ip6-alice.strongswan.org    ip6-alice
-fec1::20       ip6-venus.strongswan.org    ip6-venus
-fec1::1        ip6-moon1.strongswan.org    ip6-moon1
-fec0::1        ip6-moon.strongswan.org     ip6-moon
-fec0::10       ip6-carol.strongswan.org    ip6-carol
-fec3::1        ip6-carol1.strongswan.org   ip6-carol1
-fec0::15       ip6-winnetou.strongswan.org ip6-winnetou 
-fec0::20       ip6-dave.strongswan.org     ip6-dave
-fec3::2        ip6-dave1.strongswan.org    ip6-dave1
-fec0::2        ip6-sun.strongswan.org      ip6-sun
-fec2::1        ip6-sun1.strongswan.org     ip6-sun1
-fec2::10       ip6-bob.strongswan.org      ip6-bob
-
-# IPv6 link-local HW derived addresses
-fe80::fcfd:0aff:fe01:14        ip6-hw-venus.strongswan.org    ip6-hw-venus
-fe80::fcfd:0aff:fe01:0a        ip6-hw-alice.strongswan.org    ip6-hw-alice
-fe80::fcfd:0aff:fe01:01        ip6-hw-moon1.strongswan.org    ip6-hw-moon1
-fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
-fe80::fcfd:c0ff:fea8:64        ip6-hw-carol.strongswan.org    ip6-hw-carol
-fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
-fe80::fcfd:c0ff:fea8:c8        ip6-hw-dave.strongswan.org     ip6-hw-dave
-fe80::fcfd:c0ff:fea8:02        ip6-hw-sun.strongswan.org      ip6-hw-sun
-fe80::fcfd:0aff:fe02:01        ip6-hw-sun1.strongswan.org     ip6-hw-sun1
-fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index d510e2e..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=%any
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-
-conn carol
-       right=%carol.strongswan.org
-       rightid=carol@strongswan.org
-       rightsourceip=PH_IP_CAROL1
-       auto=add
-
-conn dave
-       right=%dave.strongswan.org
-       rightid=dave@strongswan.org
-       rightsourceip=PH_IP_DAVE1
-       auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat

deleted file mode 100644 (file)

index 8437153..0000000
--- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::mv /etc/hosts /etc/hosts.ori
-moon::mv /etc/hosts.stale /etc/hosts
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection carol
-carol::expect-connection moon
-carol::ipsec up moon
-dave::expect-connection moon
-dave::ipsec up moon
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt

deleted file mode 100644 (file)

index 0d5eb10..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-curve25519!</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
-the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat

deleted file mode 100644 (file)

index 293b5ab..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
-carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
-carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index ebe0c27..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-aesxcbc-x25519!
-       esp=aes256gmac-x25519!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index ce99647..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 1fdb1bd..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-aesxcbc-x25519!
-       esp=aes256gmac-x25519!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 69f188e..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat

deleted file mode 100644 (file)

index 4e457f1..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
-carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
-moon:: ip xfrm state::auth-trunc hmac(md5)::YES
-carol::ip xfrm state::auth-trunc hmac(md5)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index a850342..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=3des-md5-modp1024!
-       esp=3des-md5_128!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 2c4f3fc..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 13908da..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=3des-md5-modp1024!
-       esp=3des-md5_128!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 2c4f3fc..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/esp-alg-md5-128/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat

deleted file mode 100644 (file)

index b80e9f7..0000000
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
-carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
-moon:: ip xfrm state::enc ecb(cipher_null)::YES
-carol::ip xfrm state::enc ecb(cipher_null)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 9991b0b..0000000
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=null-sha256!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 2a2c4cb..0000000
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-x25519!
-       esp=null-sha256!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/esp-alg-null/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat

deleted file mode 100644 (file)

index 20a9cf9..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
-carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
-moon:: ip xfrm state::auth-trunc hmac(sha1)::YES
-carol::ip xfrm state::auth-trunc hmac(sha1)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 043c3d7..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha1-modp2048!
-       esp=aes128-sha1_160!
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3f13273..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 8681963..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha1-modp2048!
-       esp=aes128-sha1_160!
-
-conn rw
-       left=PH_IP_MOON
-       leftfirewall=yes
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index be00a11..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/host2host-ah/description.txt b/testing/tests/ikev2/host2host-ah/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 11d814f..d2298b6
--- a/testing/tests/ikev2/host2host-ah/description.txt
+++ b/testing/tests/ikev2/host2host-ah/description.txt
@@ -1,5 +1,8 @@
  An IPsec <b>AH transport-mode</b> connection using AES-XCBC between the hosts
-<b>moon</b> and <b>sun</b> is successfully set up. <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the decrypted
-IP packets. In order to test the host-to-host connection <b>moon</b> pings
-<b>sun</b>.
+<b>moon</b> and <b>sun</b> is set up.The authentication is based on
+<b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-ah/evaltest.dat b/testing/tests/ikev2/host2host-ah/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1e50ef4..d29697a
--- a/testing/tests/ikev2/host2host-ah/evaltest.dat
+++ b/testing/tests/ikev2/host2host-ah/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 535e3d4..0000000
--- a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       type=transport
-       ah=aesxcbc
-       auto=add
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..cc18721
--- a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..66816ed
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = aesxcbc
+            mode = transport
+
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-aesxcbc-modp3072
+   }
+}
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 9537c18..0000000
--- a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       type=transport
-       ah=aesxcbc
-       auto=add
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..cc18721
--- a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..fcfdf1a
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = aesxcbc
+            mode = transport
+        }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-aesxcbc-modp3072
+   }
+}
diff --git a/testing/tests/ikev2/host2host-ah/posttest.dat b/testing/tests/ikev2/host2host-ah/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev2/host2host-ah/posttest.dat
+++ b/testing/tests/ikev2/host2host-ah/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..f16a8d8
--- a/testing/tests/ikev2/host2host-ah/pretest.dat
+++ b/testing/tests/ikev2/host2host-ah/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-ah/test.conf b/testing/tests/ikev2/host2host-ah/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9647dc6..52d886d
--- a/testing/tests/ikev2/host2host-ah/test.conf
+++ b/testing/tests/ikev2/host2host-ah/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 876aa79..8f7e6e9
--- a/testing/tests/ikev2/host2host-cert/description.txt
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -1,6 +1,6 @@
  A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
  The authentication is based on X.509 certificates.
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e0c40ba..0ce4c43
--- a/testing/tests/ikev2/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..f16a8d8
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 55d6e9f..52d886d
--- a/testing/tests/ikev2/host2host-cert/test.conf
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun"
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/host2host-transport/description.txt b/testing/tests/ikev2/host2host-transport/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fe3482c..bc5a129
--- a/testing/tests/ikev2/host2host-transport/description.txt
+++ b/testing/tests/ikev2/host2host-transport/description.txt
@@ -1,4 +1,6 @@
-An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
-successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
-rules that let pass the decrypted IP packets. In order to test the host-to-host connection
-<b>moon</b> pings <b>sun</b>.
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 98251d1..b60b8ad
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
  moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..683269a
--- a/testing/tests/ikev2/host2host-transport/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 36a8423..f16a8d8
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection host-host
+moon::systemctl start strongswan
+sun::systemctl start strongswan
  moon::expect-connection host-host
-moon::ipsec up host-host
+sun::expect-connection host-host
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 5a286c8..52d886d
--- a/testing/tests/ikev2/host2host-transport/test.conf
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -6,7 +6,7 @@
  # All guest instances that are required for this test
  #
  VIRTHOSTS="moon winnetou sun"
- 
+
  # Corresponding block diagram
  #
  DIAGRAM="m-w-s.png"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf

deleted file mode 100644 (file)

index 11423f7..0000000
--- a/testing/tests/ikev2/inactivity-timeout/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 7bc4ef3..f003db1
--- a/testing/tests/ikev2/ip-pool-db/description.txt
+++ b/testing/tests/ikev2/ip-pool-db/description.txt
@@ -1,10 +1,11 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
-addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> assigns virtual IP addresses from a pool named <b>bigpool</b> that was created in
+an SQL database by the command
  <b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
  <p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+The updown script automatically inserts iptables-based firewall rules that let pass the
  tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
  <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
-virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+virtual IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 925e9a1..5133e42
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -1,38 +1,23 @@
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
  carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
  carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
  carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
  dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
  dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
  dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 0fbefa3..886b31f
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..886b31f
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
  }
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c224059..31cf56d
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
  
    plugins {
      attr-sql {
@@ -12,4 +16,5 @@ charon {
  
  pool {
    load = sqlite
+  database = sqlite:///etc/db.d/ipsec.db
  }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bef86d7
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = big_pool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 37436a3..b18231a
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,9 +1,11 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del big_pool 2> /dev/null
  moon::ipsec pool --del dns 2> /dev/null
  moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c422045..448aa26
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,17 +1,17 @@
  moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
  moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
  moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
  moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 31820ea..5554b46
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which databases are used
  #
  DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ip-pool/description.txt b/testing/tests/ikev2/ip-pool/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index fc3f8c6..7c866ba
--- a/testing/tests/ikev2/ip-pool/description.txt
+++ b/testing/tests/ikev2/ip-pool/description.txt
@@ -1,10 +1,10 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order. 
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> assigns virtual IP addresses from a simple pool defined in the pools section
+of swanctl.conf in a monotonously increasing order.
+<p/>
+The updown script automatically inserts iptables-based firewall rules that let pass
  the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
  the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+pings will be the virtual IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 7de5903..36ab6c1
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -1,30 +1,17 @@
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
-dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP::YES
-moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
-moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..ad4c18e
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b757d8b..eb21008
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev2/ip-pool/test.conf
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ip-two-pools-db/description.txt b/testing/tests/ikev2/ip-two-pools-db/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 188b434..4bad7b1
--- a/testing/tests/ikev2/ip-two-pools-db/description.txt
+++ b/testing/tests/ikev2/ip-two-pools-db/description.txt
@@ -1,14 +1,14 @@
  The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
-to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b> 
-with the <b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual
-IP addresses from a pool named <b>extpool</b> [10.3.0.1..10.3.1.244] to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a pool named <b>intpool</b>
-[10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
+from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
+[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
+IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
+the <b>eth1</b> (PH_IP_MOON1) interface.
  Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
  respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
  respectively.
-<p> 
-By defining the composite IPsec SA: <b>rightsubnet=10.3.0.0/16,10.4.0.0/16</b>, each of the four
+<p>
+By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
  spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
  demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
  of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index cf7ce20..16dc236
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -1,19 +1,3 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
-venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES
-moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES
  moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
  moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
  moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
@@ -32,6 +16,14 @@ alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
  dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
  alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
  dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
  alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
  alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
  dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..f021e9c
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
  }
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index f0b74a7..f021e9c
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
  }
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..f021e9c
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
  }
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1664d55..fba531a
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
  
    plugins {
      attr-sql {
@@ -12,4 +16,5 @@ charon {
  
  pool {
    load = sqlite
-}
+  database = sqlite:///etc/db.d/ipsec.db
+}
+\ No newline at end of file
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 729db45..f021e9c
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
  }
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index dd4abeb..526a132
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -1,13 +1,13 @@
-alice::ipsec stop
-venus::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-alice::iptables-restore < /etc/iptables.flush
-venus::iptables-restore < /etc/iptables.flush
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
  moon::ip route del 10.3.0.0/16 via PH_IP_MOON
  moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
  moon::ipsec pool --del extpool 2> /dev/null
@@ -15,3 +15,4 @@ moon::ipsec pool --del intpool 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
  moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 927de7d..bddc456
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -8,23 +8,23 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
  moon::ipsec pool --statusattr 2> /dev/null
  moon::ip route add 10.3.0.0/16 via PH_IP_MOON
  moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-alice::iptables-restore < /etc/iptables.rules
-venus::iptables-restore < /etc/iptables.rules
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-alice::ipsec start
-venus::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
  moon::expect-connection int
  moon::expect-connection ext
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
  alice::expect-connection home
-alice::ipsec up home
+alice::swanctl --initiate --child home 2> /dev/null
  venus::expect-connection home
-venus::ipsec up home
+venus::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 167c75d..9394e02
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="alice venus moon carol dave"
  # Guest instances on which databases are used
  #
  DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ip-two-pools/description.txt b/testing/tests/ikev2/ip-two-pools/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 45b84f1..df9f54a
--- a/testing/tests/ikev2/ip-two-pools/description.txt
+++ b/testing/tests/ikev2/ip-two-pools/description.txt
@@ -1,9 +1,9 @@
  The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
-by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from  <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
+connecting to the <b>eth1</b> (10.1.0.1) interface.
  <p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
  both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b620538..cb3b60f
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -1,21 +1,17 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
-alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
-moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
-moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
-moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
-moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
  alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
  carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
  alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
  carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 952df5e..ad4c18e
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e4b0436..f0a8f0f
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,6 +1,8 @@
-alice::ipsec stop
-carol::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+alice::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 8fb8dfb..fb6cb52
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,12 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  alice::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-alice::ipsec start
-moon::expect-connection int
-moon::expect-connection ext
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+alice::systemctl start strongswan
+moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  alice::expect-connection home
-alice::ipsec up home
+alice::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1ed3473..5f67b7e
--- a/testing/tests/ikev2/ip-two-pools/test.conf
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -5,7 +5,7 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
  
  # Corresponding block diagram
  #
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="alice carol"
+TCPDUMPHOSTS="carol alice"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
-IPSECHOSTS="alice moon carol"
+IPSECHOSTS="moon carol alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat

index db17d1e7720688a68a1035bd2bd9cda458dbf570..a520e5c2cbd6788f592cdec392b09caf6ef95175 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -4,18 +4,17 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with R
  carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
  moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
  dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
  dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
  moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
  moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
-moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
  dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default

index 2968646e54f8b8bb835919bb0c977a190e3f58e2..51b64a74b38ed4c4fb93a5e084029e4e7495ae47 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,8 @@ authorize {
    preprocess
    chap
    mschap
-  suffix
    files
+  suffix
    update reply {
      EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
      EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
@@ -19,6 +19,7 @@ authorize {
      ok = return
    }
    unix
+  files
    expiration
    logintime
    pap
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index df44407..0000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftfirewall=yes
-       leftauth=pubkey
-       leftid=carol@strongswan.org
-       leftcert=carolCert.pem
-       leftauth2=eap
-       leftid2=228060123456001@strongswan.org
-       eap_identity=228060123456001
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 6a2aea8..0000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf

index 5615f44910f66831892c5397e914daf3ba5b7eb1..54b79b35d0df88a0f4edd3613c88761e75d1049b 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
  }
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 01fb6b0..0000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftfirewall=yes
-       leftauth=pubkey
-       leftid=dave@strongswan.org
-       leftcert=daveCert.pem
-       leftauth2=eap
-       leftid2=228060123456002@strongswan.org
-       eap_identity=228060123456002
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 9031f32..0000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf

index 51614f7163eff75ed329d582d27c2fe2aa253444..54b79b35d0df88a0f4edd3613c88761e75d1049b 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
  }
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 8dc0dae..0000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-mult
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       leftauth=pubkey
-       leftid=@moon.strongswan.org
-       leftcert=moonCert.pem
-       right=%any
-       rightauth=pubkey
-       rightid=*@strongswan.org
-       rightauth2=eap-radius
-       eap_identity=%any
-       auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf

index aab6993ceb47bb3e62bcd06202ab18280e6a4ed6..b18ba6809299af590f0621d9c3283e30b5930613 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
  
    plugins {
      eap-radius {
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat

index 4069be9cec80f95016248b092edfa5817b2e87a5..b517a1adf3244f206da471d1dcac826592441fab 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat

index f3fdfe6fff8f61aa936c81656602072bdb0b1d9f..125ee22f9d6d49949b0148e141f25d2624719c94 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,11 +1,11 @@
  carol::cat /etc/ipsec.d/triplets.dat
  dave::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-mult
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf

index 42d23a50bb5d79ce79b974f1fafd7091e94f3dbe..678115012812c4c1f1fb9cc4d26e67dd8a1f7a8f 100644 (file)
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -23,3 +23,8 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which FreeRadius is started
  #
  RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
+
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat

deleted file mode 100644 (file)

index 03426ac..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 7f04580..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn alice
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 9306bf9..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn venus
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 776b5a5..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=PH_IP_CAROL
-       rightid=carol@strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       auto=add
-       
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=PH_IP_DAVE
-       rightid=dave@strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat

deleted file mode 100644 (file)

index 24cd041..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat

deleted file mode 100644 (file)

index dc6991d..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::expect-connection alice
-dave::expect-connection venus
-moon::expect-connection alice
-moon::expect-connection venus
-moon::ipsec up alice
-moon::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt

deleted file mode 100644 (file)

index 06f9f6b..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
-<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
-in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
-the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
-copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat

deleted file mode 100644 (file)

index dcd2717..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 5ee8ba0..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 391bc91..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 565d0d8..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       auto=add
-       
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat

deleted file mode 100644 (file)

index 24cd041..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat

deleted file mode 100644 (file)

index 95ca1e5..0000000
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
-carol::expect-connection alice
-carol::ipsec up alice
-dave::expect-connection venus
-dave::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat

deleted file mode 100644 (file)

index 49271bd..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ /dev/null
@@ -1,19 +0,0 @@
-moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
-moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon:: cat /var/log/daemon.log::selected peer config.*alice.*unacceptable::YES
-moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::alice.*moon.strongswan.org.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 9b28c50..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-        cacert=strongswanCert.pem
-        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
-        auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index fa36317..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 082c2f2..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index fa36317..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index deae852..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,42 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-ca research
-        cacert=researchCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-ca sales
-        cacert=salesCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList"
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules

deleted file mode 100644 (file)

index debcc21..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow ldap crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 2881b73..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat

deleted file mode 100644 (file)

index 6f0ec4b..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-winnetou::/etc/init.d/slapd stop
-moon::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat

deleted file mode 100644 (file)

index 815d7be..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-winnetou::/etc/init.d/slapd start
-moon::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat

deleted file mode 100644 (file)

index 85bbe4a..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
-carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 991daaf..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 7721b23..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/posttest.dat b/testing/tests/ikev2/multi-level-ca-loop/posttest.dat

deleted file mode 100644 (file)

index 076f51f..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat

deleted file mode 100644 (file)

index b71c416..0000000
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::ipsec start
-moon::ipsec start
-moon::expect-connection alice
-carol::expect-connection alice
-carol::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat

deleted file mode 100644 (file)

index 913e8f4..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
-carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::duck.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e839862..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
-
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3038f52..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp constraints x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 4d1286f..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn duck 
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 0b6834b..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation constraints hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat

deleted file mode 100644 (file)

index f84b7e3..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat

deleted file mode 100644 (file)

index a063a24..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-moon::expect-connection duck
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf

deleted file mode 100644 (file)

index 5879643..0000000
--- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat

deleted file mode 100644 (file)

index 008ff2c..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon:: cat /var/log/daemon.log::certificate was revoked::YES
-carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e6bd872..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e2c8df2..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat

deleted file mode 100644 (file)

index f84b7e3..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat

deleted file mode 100644 (file)

index 1d847c0..0000000
--- a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection alice
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat b/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat

deleted file mode 100644 (file)

index 5d445c2..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e6bd872..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e2c8df2..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat b/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat

deleted file mode 100644 (file)

index f84b7e3..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat b/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat

deleted file mode 100644 (file)

index 1d847c0..0000000
--- a/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection alice
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt

deleted file mode 100644 (file)

index 6467d52..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced
-on all peers.
-The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
-<b>venus</b> to anyone presenting a certificate belonging to a trust
-chain anchored in the strongSwan Root CA. Therefore both road warriors
-<b>carol</b> and <b>dave</b>, holding certificates from the Research CA
-and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat

deleted file mode 100644 (file)

index 90ee6a7..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 611f259..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index abe0f3a..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index c58de46..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/posttest.dat b/testing/tests/ikev2/multi-level-ca-strict/posttest.dat

deleted file mode 100644 (file)

index 1646d5e..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat

deleted file mode 100644 (file)

index 91ade79..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/multi-level-ca-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat

deleted file mode 100644 (file)

index 10da97f..0000000
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ /dev/null
@@ -1,19 +0,0 @@
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
-carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon:: cat /var/log/daemon.log::selected peer config.*alice.*unacceptable::YES
-moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 909118f..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-       
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 9577746..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftsendcert=ifasked
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-       
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a607a0d..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat

deleted file mode 100644 (file)

index 0f3f1ff..0000000
--- a/testing/tests/ikev2/multi-level-ca/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat

deleted file mode 100644 (file)

index 91ade79..0000000
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/multi-level-ca/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt

index 9bef3cd1865fc1463bceba476226d25c23e038bf..7754c7f395fa0772ee68c8b863d76aca2121df33 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
@@ -2,6 +2,7 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>
  tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
  Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
  <p/>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
  ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat

index fbcb631ff09b304563577e58590dab539ff5a1ea..cd171e8c90914c16fbc9ea1f0d81d8ff5cd29dd2 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -1,9 +1,14 @@
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
-sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf

index f6cb39c781248f6fbf3a504fe874cb6e2800e6d0..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
  }
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf

index f6cb39c781248f6fbf3a504fe874cb6e2800e6d0..7625e5066e971524e52ab4f1cd707b7258b63116 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf

index f6cb39c781248f6fbf3a504fe874cb6e2800e6d0..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
  }
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat

index bc7d2377107607c7beee6e0dc4d2d21556278cec..5f390cd62cde61669d9e4fd519b6bfc8c03273ca 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -1,6 +1,6 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+sun::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  venus::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat

index 1798d27b5a47df5d188b8b9656e5351daad74e91..105c42fa529a429d5a68a45e66a1342ef9667f67 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -1,16 +1,16 @@
  alice::iptables-restore < /etc/iptables.rules
  venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
+alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
  sun::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
  venus::expect-connection nat-t
-venus::ipsec up nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf

index f515d4bc7320398fc86e982ecd05e676e602c262..ecc95b837581aaf93af77826f00a6a4fba9bbbd1 100644 (file)
--- a/testing/tests/ikev2/nat-rw-psk/test.conf
+++ b/testing/tests/ikev2/nat-rw-psk/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt

index 58b28bad292413a90b79ba96c1813799b3848d91..1ee91b74ddafbeb66f1a910332fb9253eb1f359e 100644 (file)
--- a/testing/tests/ikev2/nat-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
@@ -2,6 +2,7 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>
  tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
  Authentication is based on X.509 certificates.
  <p/>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
  ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat

index 2d265b0d1338df138039d173014eef62b5cec04b..ae6aaed337dc72de9fb6c9c5e9465345637e5d8e 100644 (file)
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -1,16 +1,12 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  moon:: sleep 6::no output expected::NO
  bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..7625e5066e971524e52ab4f1cd707b7258b63116 100644 (file)
--- a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..fd9bf8c7cc7c54d4656f0657b147acaa6a1309fa 100644 (file)
--- a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
  charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat

index bc7d2377107607c7beee6e0dc4d2d21556278cec..5f390cd62cde61669d9e4fd519b6bfc8c03273ca 100644 (file)
--- a/testing/tests/ikev2/nat-rw/posttest.dat
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -1,6 +1,6 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+sun::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
  alice::iptables-restore < /etc/iptables.flush
  venus::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat

index 36d23b5704d593683a62caf30834163525d9ea02..a1f1cffea79e137c336077445409df93fa26e574 100644 (file)
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
  sun::expect-connection nat-t
  alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
  venus::expect-connection nat-t
-venus::ipsec up nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf

index f515d4bc7320398fc86e982ecd05e676e602c262..ecc95b837581aaf93af77826f00a6a4fba9bbbd1 100644 (file)
--- a/testing/tests/ikev2/nat-rw/test.conf
+++ b/testing/tests/ikev2/nat-rw/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/nat-virtual-ip/description.txt b/testing/tests/ikev2/nat-virtual-ip/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 31d24cd..3d13a29
--- a/testing/tests/ikev2/nat-virtual-ip/description.txt
+++ b/testing/tests/ikev2/nat-virtual-ip/description.txt
@@ -1,6 +1,6 @@
  The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
  to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
-virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
-specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
-which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
-This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
+virtual IP address to router <b>moon</b>. A special <b>nat_updown</b> script on <b>moon</b>
+dynamically inserts a source NAT rule which maps the IP address of client <b>alice</b> to
+the virtual IP of <b>moon</b>. This allows <b>alice</b> to access client <b>bob</b> via the
+established IPsec tunnel.
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index d4910ea..f84d422
--- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -1,5 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.4.0.1/32]::YES
  moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 46fc364..0000000
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsourceip=%config
-       leftupdown=/etc/nat_updown
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..14cba87
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            remote_ts = 10.2.0.0/16
+
+            updown = /etc/nat_updown
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 1d7ba47..0000000
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsourceip=10.4.0.0/24
-       auto=add
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..addc7f1
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.4.0.0/24
+   }
+}
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b9fbde7..131a3c2
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
  moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 08ca6b5..2d3c8c1
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f46f137..6fc0281
--- a/testing/tests/ikev2/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
- 
+
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun bob"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun bob"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-ah/description.txt b/testing/tests/ikev2/net2net-ah/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 7816aa2..18626d0
--- a/testing/tests/ikev2/net2net-ah/description.txt
+++ b/testing/tests/ikev2/net2net-ah/description.txt
@@ -1,7 +1,9 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>ah=sha256-sha384!</b> gateway <b>moon</b> proposes the use of <b>AH</b>.
-Gateway <b>sun</b> selects SHA2_256_128 for integrity protection with its <b>ah=sha256!</b>
-configuration.
+The authentication is based on <b>X.509 certificates</b>. With <b>ah=sha256-sha384</b>
+gateway <b>moon</b> proposes the use of <b>AH</b>. Gateway <b>sun</b> selects HMAC_SHA2_256_128
+for integrity protection with its <b>ah=sha256</b> configuration.
  <p/>
-Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
-gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ah/evaltest.dat b/testing/tests/ikev2/net2net-ah/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 69a7165..bc4305e
--- a/testing/tests/ikev2/net2net-ah/evaltest.dat
+++ b/testing/tests/ikev2/net2net-ah/evaltest.dat
@@ -1,11 +1,5 @@
-sun::  cat /var/log/daemon.log::received proposals: AH:HMAC_SHA2_256_128/HMAC_SHA2_384_192/NO_EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
-moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
-sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e8eaa48..0000000
--- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       keyexchange=ikev2
-       ike=aes128-sha256-modp3072!
-       ah=sha256-sha384!
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..32a7697
--- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4e94ee3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256-sha384
+
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 95e90fd..0000000
--- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       keyexchange=ikev2
-       ike=aes128-sha256-modp3072!
-       ah=sha256!
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..32a7697
--- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ab4b369
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            ah_proposals = sha256
+        }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/ikev2/net2net-ah/posttest.dat b/testing/tests/ikev2/net2net-ah/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev2/net2net-ah/posttest.dat
+++ b/testing/tests/ikev2/net2net-ah/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev2/net2net-ah/pretest.dat
+++ b/testing/tests/ikev2/net2net-ah/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-ah/test.conf b/testing/tests/ikev2/net2net-ah/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev2/net2net-ah/test.conf
+++ b/testing/tests/ikev2/net2net-ah/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-cert/description.txt b/testing/tests/ikev2/net2net-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 7eea919..b00bf17
--- a/testing/tests/ikev2/net2net-cert/description.txt
+++ b/testing/tests/ikev2/net2net-cert/description.txt
@@ -1,6 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>X.509 certificates</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index fe4aa5a..4c56d52
--- a/testing/tests/ikev2/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 2cb7f03..ad4c18e
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  signature_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 2cb7f03..ad4c18e
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  signature_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..cc6a5bf
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-cert/test.conf
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-childless/description.txt b/testing/tests/ikev2/net2net-childless/description.txt

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/description.txt

rename to testing/tests/ikev2/net2net-childless/description.txt
diff --git a/testing/tests/swanctl/net2net-childless/evaltest.dat b/testing/tests/ikev2/net2net-childless/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/evaltest.dat

rename to testing/tests/ikev2/net2net-childless/evaltest.dat
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-childless/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/posttest.dat

rename to testing/tests/ikev2/net2net-childless/posttest.dat
diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-childless/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/pretest.dat

rename to testing/tests/ikev2/net2net-childless/pretest.dat
diff --git a/testing/tests/swanctl/net2net-childless/test.conf b/testing/tests/ikev2/net2net-childless/test.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/test.conf

rename to testing/tests/ikev2/net2net-childless/test.conf
diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 9893359..d3d348b
--- a/testing/tests/ikev2/net2net-dnssec/description.txt
+++ b/testing/tests/ikev2/net2net-dnssec/description.txt
@@ -2,7 +2,7 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
  The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
  resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index f5a1a5d..46ad0df
--- a/testing/tests/ikev2/net2net-dnssec/evaltest.dat
+++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
@@ -1,9 +1,7 @@
  moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES
  sun::  cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a779943..0000000
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftid=moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftsigkey=moonPub.pem
-       leftauth=pubkey
-       leftfirewall=yes
-       right=sun.strongswan.org
-       rightid=sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index d4c8c55..82a86a5
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -1,15 +1,19 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
  
    plugins {
      ipseckey {
        enable = yes
      }
      unbound {
-      # trust_anchors = /etc/ipsec.d/dnssec.keys
-      # resolv_conf = /etc/resolv.conf
+      trust_anchors = /etc/swanctl/dnssec.keys
+      resolv_conf = /etc/resolv.conf
      }
    }
  }
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..fcbb025
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         pubkeys = moonPub.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 06704e6..0000000
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftid=sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftsigkey=sunPub.pem
-       leftauth=pubkey
-       leftfirewall=yes
-       right=moon.strongswan.org
-       rightid=moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index d4c8c55..82a86a5
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -1,15 +1,19 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
  
    plugins {
      ipseckey {
        enable = yes
      }
      unbound {
-      # trust_anchors = /etc/ipsec.d/dnssec.keys
-      # resolv_conf = /etc/resolv.conf
+      trust_anchors = /etc/swanctl/dnssec.keys
+      resolv_conf = /etc/resolv.conf
      }
    }
  }
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..e8aaaa4
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         pubkeys = sunPub.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c594c4d..3eb4ac1
--- a/testing/tests/ikev2/net2net-dnssec/posttest.dat
+++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat
@@ -1,8 +1,6 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
+moon::cd /etc/swanctl; rm dnssec.keys pubkey/*
+sun::cd /etc/swanctl; rm dnssec.keys pubkey/*
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/resolv.conf
-sun::rm /etc/resolv.conf
-moon::rm /etc/ipsec.d/dnssec.keys
-sun::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c7e2c61..9e143f0
--- a/testing/tests/ikev2/net2net-dnssec/pretest.dat
+++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat
@@ -1,9 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+sun::cd /etc/swanctl; rm x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev2/net2net-dnssec/test.conf
+++ b/testing/tests/ikev2/net2net-dnssec/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-ed25519/description.txt b/testing/tests/ikev2/net2net-ed25519/description.txt

old mode 100644 (file)

new mode 100755 (executable)
diff --git a/testing/tests/ikev2/net2net-ed25519/evaltest.dat b/testing/tests/ikev2/net2net-ed25519/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index cb29fa6..ebbb8ae
--- a/testing/tests/ikev2/net2net-ed25519/evaltest.dat
+++ b/testing/tests/ikev2/net2net-ed25519/evaltest.dat
@@ -1,9 +1,7 @@
  moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
  sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e85ec33..0000000
--- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_MOON
-       leftauth=pubkey
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightauth=pubkey
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index 54790b6..0000000
--- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PKCS8 moonKey.pem
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 021f78e..a35aea0
--- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index cfe9955..0000000
--- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_SUN
-       leftauth=pubkey
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightauth=pubkey
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets

deleted file mode 100644 (file)

index e3850f0..0000000
--- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PKCS8 sunKey.pem
-
-
-
-
-
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 021f78e..a35aea0
--- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-ed25519/posttest.dat b/testing/tests/ikev2/net2net-ed25519/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..321fd34
--- a/testing/tests/ikev2/net2net-ed25519/posttest.dat
+++ b/testing/tests/ikev2/net2net-ed25519/posttest.dat
@@ -1,5 +1,7 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
+moon::rm /etc/swanctl/pkcs8/*
+sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/ikev2/net2net-ed25519/pretest.dat b/testing/tests/ikev2/net2net-ed25519/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..1ab4f5f
--- a/testing/tests/ikev2/net2net-ed25519/pretest.dat
+++ b/testing/tests/ikev2/net2net-ed25519/pretest.dat
@@ -1,7 +1,9 @@
+moon::rm /etc/swanctl/rsa/moonKey.pem
+sun::rm /etc/swanctl/rsa/sunKey.pem
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-ed25519/test.conf b/testing/tests/ikev2/net2net-ed25519/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-ed25519/test.conf
+++ b/testing/tests/ikev2/net2net-ed25519/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-esn/description.txt b/testing/tests/ikev2/net2net-esn/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index c9da682..35c8ba8
--- a/testing/tests/ikev2/net2net-esn/description.txt
+++ b/testing/tests/ikev2/net2net-esn/description.txt
@@ -1,7 +1,10 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>esp=aes128-sha256-esn-noesn!</b> gateway <b>moon</b> proposes the use of
+With <b>esp=aes128gcm128-esn-noesn-x25519</b> gateway <b>moon</b> proposes the use of
  <b>Extended Sequence Numbers</b> but can also live without them. Gateway <b>sun</b>
-defines <b>esp=aes128-sha256-esn!</b> and thus decides on the use of ESN.
+defines <b>esp=aes128gcm128-esn-x25519</b> and thus decides on the use of ESN.
+The authentication is based on <b>X.509 certificates</b>.
  <p/>
-Upon the successful establishment of the CHILD SA with ESN, client <b>alice</b> behind
-gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b> 10 times.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 534ace9..1cf59f7
--- a/testing/tests/ikev2/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev2/net2net-esn/evaltest.dat
@@ -1,16 +1,7 @@
-sun::  cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
-sun::  cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 esn=1.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 esn=1.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  sun::  ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
  moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
  alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
-sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
-
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 71f5442..0000000
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-modp3072!
-       esp=aes128-sha256-esn-noesn!
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..ad4c18e
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..de7927e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-esn-noesn-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 9e0df81..0000000
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-modp3072!
-       esp=aes128-sha256-esn!
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index ca7ff4f..ad4c18e
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,12 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  syslog {
-    daemon {
-      cfg = 2
-      knl = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..0278fc9
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-esn-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..cc6a5bf
--- a/testing/tests/ikev2/net2net-esn/posttest.dat
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index bcc2cb0..2d3c8c1
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-esn/test.conf
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat

deleted file mode 100644 (file)

index 0ec8acc..0000000
--- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES
-sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES
-moon::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 3 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES
-moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
-moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembled fragmented IKE message::YES
-sun::cat /var/log/daemon.log::received fragment #1 of 3, waiting for complete IKE message::YES
-sun::cat /var/log/daemon.log::received fragment #2 of 3, waiting for complete IKE message::YES
-sun::cat /var/log/daemon.log::received fragment #3 of 3, reassembled fragmented IKE message::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index bb0b2b0..0000000
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       fragmentation=yes
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 855bb44..0000000
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       fragmentation=yes
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/swanctl/net2net-gw/description.txt b/testing/tests/ikev2/net2net-gw/description.txt

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/description.txt

rename to testing/tests/ikev2/net2net-gw/description.txt
diff --git a/testing/tests/swanctl/net2net-gw/evaltest.dat b/testing/tests/ikev2/net2net-gw/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/evaltest.dat

rename to testing/tests/ikev2/net2net-gw/evaltest.dat
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/net2net-gw/posttest.dat b/testing/tests/ikev2/net2net-gw/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/posttest.dat

rename to testing/tests/ikev2/net2net-gw/posttest.dat
diff --git a/testing/tests/swanctl/net2net-gw/pretest.dat b/testing/tests/ikev2/net2net-gw/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/pretest.dat

rename to testing/tests/ikev2/net2net-gw/pretest.dat
diff --git a/testing/tests/swanctl/net2net-gw/test.conf b/testing/tests/ikev2/net2net-gw/test.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-gw/test.conf

rename to testing/tests/ikev2/net2net-gw/test.conf
diff --git a/testing/tests/ikev2/net2net-multicast/evaltest.dat b/testing/tests/ikev2/net2net-multicast/evaltest.dat

index 7649abc5b8754718aad41f832300bf6c5c58c497..6efa23a00b2a6c23e152faca85099f447bdba2a1 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/evaltest.dat
+++ b/testing/tests/ikev2/net2net-multicast/evaltest.dat
@@ -1,11 +1,9 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
  alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
  bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
  moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
  sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
  alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf

index 904a5fa6eead003206632123adef745ac7a900be..812c12bf94a2cdcc29f2a084d84fef8fc247e2a8 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,14 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
  
    multiple_authentication = no
+
    plugins {
      forecast {
        groups = 224.0.0.251
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf

index 904a5fa6eead003206632123adef745ac7a900be..1c5da7b88bc5c0b46fb01071d41e4f0a8dab07e9 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -1,9 +1,10 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
  
    multiple_authentication = no
+
    plugins {
      forecast {
        groups = 224.0.0.251
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-multicast/posttest.dat b/testing/tests/ikev2/net2net-multicast/posttest.dat

index dff181797ed34316c7027bc274eac1ae765e305f..e28c8d48918f5107d92860942c3664de99e347d5 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/posttest.dat
+++ b/testing/tests/ikev2/net2net-multicast/posttest.dat
@@ -1,2 +1,3 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
diff --git a/testing/tests/ikev2/net2net-multicast/pretest.dat b/testing/tests/ikev2/net2net-multicast/pretest.dat

index e777dba060d9b1467a493550091c7cf064b058bc..b323c5e22e4848374eca0718f6ae36229ba1e008 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/pretest.dat
+++ b/testing/tests/ikev2/net2net-multicast/pretest.dat
@@ -1,7 +1,7 @@
  moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
  sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-multicast/test.conf b/testing/tests/ikev2/net2net-multicast/test.conf

index 48597379a03dc2b823d03040561aab77767486cb..579978772d375c9f34f8a6a3f3436734b12b1147 100644 (file)
--- a/testing/tests/ikev2/net2net-multicast/test.conf
+++ b/testing/tests/ikev2/net2net-multicast/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice sun bob"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-ntru-cert/description.txt b/testing/tests/ikev2/net2net-ntru-cert/description.txt

deleted file mode 100644 (file)

index 638a671..0000000
--- a/testing/tests/ikev2/net2net-ntru-cert/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The key exchange is based on NTRU encryption with a security strength of 256 bits.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f29a8b2..0000000
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha512-ntru256!
-       esp=aes256-sha512!
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a7098f..0000000
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
-
-  multiple_authentication = no
-  send_vendor_id = yes
-
-  syslog {
-    daemon {
-      ike = 4
-      lib = 4
-    }
-  }
-  plugins {
-    ntru {
-      parameter_set = optimum
-    }
-  }
-}
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 76fbc80..0000000
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha512-ntru256!
-       esp=aes256-sha512!
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 8386ed2..0000000
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
-  send_vendor_id = yes
-  syslog {
-    daemon {
-      ike = 4
-      lib = 4
-    }
-  }
-}
diff --git a/testing/tests/ikev2/net2net-pkcs12/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index e66ea19..b00bf17
--- a/testing/tests/ikev2/net2net-pkcs12/description.txt
+++ b/testing/tests/ikev2/net2net-pkcs12/description.txt
@@ -1,8 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
-<b>PKCS12</b> format.
+The authentication is based on <b>X.509 certificates</b>.
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index fe4aa5a..4c56d52
--- a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 0296e18..0000000
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_MOON
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=10.2.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index 802cfc6..0000000
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 4494dae..d165857
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs12 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..082b730
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   pkcs12-moon {
+      file = moonCert.p12
+      secret = "kUqd8O7mzbjXNJKQ"
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 6dcedd0..0000000
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-        keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net 
-       left=PH_IP_SUN
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets

deleted file mode 100644 (file)

index 3dc8552..0000000
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
-
-
-
-
-
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 4494dae..d165857
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs12 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..ba0cf38
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   pkcs12-sun {
+      file = sunCert.p12
+      secret = "IxjQVCF3JGI+MoPi"
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 0fbba48..0b8cb38
--- a/testing/tests/ikev2/net2net-pkcs12/posttest.dat
+++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
@@ -1,6 +1,7 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
+moon::rm /etc/swanctl/pkcs12/*
+sun::rm /etc/swanctl/pkcs12/*
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/moonCert.p12
-sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 3f3f7d1..e935b95
--- a/testing/tests/ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
@@ -1,11 +1,9 @@
-moon::rm /etc/ipsec.d/private/moonKey.pem
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-sun::rm /etc/ipsec.d/private/sunKey.pem
-sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-pkcs12/test.conf
+++ b/testing/tests/ikev2/net2net-pkcs12/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-psk-fail/description.txt b/testing/tests/ikev2/net2net-psk-fail/description.txt

old mode 100644 (file)

new mode 100755 (executable)
diff --git a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 3f50928..b538964
--- a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
@@ -1,6 +1,4 @@
  sun:: cat /var/log/daemon.log::tried 1 shared key for.*sun.strongswan.org.*moon.strongswan.org.*but MAC mismatched::YES
  moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index 38ebf96..0000000
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,4 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
-
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c6afd9a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike {
+      id-1 = moon.strongswan.org
+      id-2 = sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
+   }
+}
+\ No newline at end of file
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets

deleted file mode 100644 (file)

index be95c4d..0000000
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6fe9877
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike {
+      id-1 = moon.strongswan.org
+      id-2 =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..82a2de1
--- a/testing/tests/ikev2/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c7e2c61..e935b95
--- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -1,9 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index eb4822b..07a3b24
--- a/testing/tests/ikev2/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/test.conf
@@ -5,17 +5,21 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="moon winnetou sun"
+VIRTHOSTS="alice moon winnetou sun bob"
  
  # Corresponding block diagram
  #
-DIAGRAM="m-w-s.png"
-
+DIAGRAM="a-m-w-s-b.png"
+ 
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="sun"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 07320d7..e064a99
--- a/testing/tests/ikev2/net2net-psk/description.txt
+++ b/testing/tests/ikev2/net2net-psk/description.txt
@@ -1,7 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>Preshared Keys</b> (PSK).
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index fe4aa5a..4c56d52
--- a/testing/tests/ikev2/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f495194..0000000
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       authby=secret
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightsubnet=10.2.0.0/16
-       rightid=@sun.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 26f16ac..0000000
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       authby=secret
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftsubnet=10.2.0.0/16
-       leftid=@sun.strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets

deleted file mode 100644 (file)

index be95c4d..0000000
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1188d68..ad4c18e
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev2/net2net-psk/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c7e2c61..e935b95
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -1,9 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index afa2acc..07a3b24
--- a/testing/tests/ikev2/net2net-psk/test.conf
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-pubkey/description.txt b/testing/tests/ikev2/net2net-pubkey/description.txt

index 1cb90f13fe62225031a39c9a32d1f9c5ced4f346..d05306e4639a099cf53780d88c4d87d070298652 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/description.txt
+++ b/testing/tests/ikev2/net2net-pubkey/description.txt
@@ -1,7 +1,7 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>raw RSA keys</b> loaded in PKCS#1 format.
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat

index d39cb07ccd3f12cb72ce331d5bde00e91120d1c5..b5398044ebd2cf76fa99e33e9087d30a7bb44a9e 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -1,7 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 7c8346b..0000000
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       
-conn net-net
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=@moon.strongswan.org
-       leftsigkey=moonPub.pem
-       leftauth=pubkey
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightsubnet=10.2.0.0/16
-       rightid=@sun.strongswan.org
-       rightsigkey=sunPub.pem
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf

index 4cc2e21c6452bcb4662f084d48a132623dee899c..29e75f7b8cd7fd1c7fe32a2f012b18a62fa48534 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
+charon-systemd {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
  }
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index e94022f..0000000
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       
-conn net-net
-       left=PH_IP_SUN
-       leftsubnet=10.2.0.0/16
-       leftid=@sun.strongswan.org
-       leftsigkey=sunPub.pem
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       rightsigkey=moonPub.pem
-       auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf

index 4cc2e21c6452bcb4662f084d48a132623dee899c..29e75f7b8cd7fd1c7fe32a2f012b18a62fa48534 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
+charon-systemd {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
  }
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat

index 675b029763075564a898a3def064d9640295e68d..468caf3e60e19ce00468649a732333c6464d912e 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/posttest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -1,8 +1,7 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/moonKey.der
-sun::rm /etc/ipsec.d/private/sunKey.der
-moon::rm /etc/ipsec.d/certs/*.der
-sun::rm /etc/ipsec.d/certs/*.der
+moon::rm /etc/swanctl/pubkey/*
+sun::rm /etc/swanctl/pubkey/*
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat

index 969c42337c64727a41521c2171f9a8469a233dd8..fcd4335475f53ab93853e307a083023fae58fea4 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/pretest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -1,9 +1,9 @@
-moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::iptables-restore < /etc/iptables.rules
+sun::cd /etc/swanctl; rm x509/* x509ca/*
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf

index afa2accbec475802093d715cc101f9e8399c8758..07a3b247a109aab35d98ae8048598cc3fdee57a4 100644 (file)
--- a/testing/tests/ikev2/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
  # Corresponding block diagram
  #
  DIAGRAM="a-m-w-s-b.png"
-
+ 
  # Guest instances on which tcpdump is to be started
  #
  TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-rfc3779/description.txt b/testing/tests/ikev2/net2net-rfc3779/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 1e56ce6..778d139
--- a/testing/tests/ikev2/net2net-rfc3779/description.txt
+++ b/testing/tests/ikev2/net2net-rfc3779/description.txt
@@ -1,11 +1,11 @@
  A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
  The authentication is based on <b>X.509 certificates</b> containing <b>RFC 3779 IP address
-block constraints</b>. Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=0.0.0.0/0</b> thus
+block constraints</b>. Both <b>moon</b> and <b>sun</b> set <b>remote_ts = 0.0.0.0/0</b> thus
  allowing the peers to narrow down the address range to their actual subnets <b>10.1.0.0/16</b>
  and <b>10.2.0.0/16</b>, respectively. These unilaterally proposed traffic selectors must be
  validated by corresponding IP address block constraints.
  <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
  inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
  pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ae970ba..42adb2e
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,13 +1,13 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES
  moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
-moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
+moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
+sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES
  sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
-sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
+sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
  moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
  sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index ec7d9a7..0000000
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=0.0.0.0/0
-       auto=add
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c9a56d7..b8a665a
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
    syslog {
      daemon {
        cfg = 2
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index cc86ebc..0000000
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=0.0.0.0/0
-       auto=add
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c9a56d7..b8a665a
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,8 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
    syslog {
      daemon {
        cfg = 2
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 837738f..cc6a5bf
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 16eb9a6..2d3c8c1
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-rfc3779/test.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 323f095..20640ef
--- a/testing/tests/ikev2/net2net-route/description.txt
+++ b/testing/tests/ikev2/net2net-route/description.txt
@@ -5,5 +5,5 @@ A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
  <b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
  leads to the automatic establishment of the subnet-to-subnet tunnel.
  <p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+The updown script automatically inserts iptables-based firewall rules
  that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 3b247fd..5a95371
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -1,8 +1,7 @@
-moon:: cat /var/log/daemon.log::creating acquire job::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..61d2bd9
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 57dc45f..5b2546f
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,7 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
+moon::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
  alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-route/test.conf
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt b/testing/tests/ikev2/net2net-sha3-rsa-cert/description.txt

similarity index 100%

rename from testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/description.txt
diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/evaltest.dat

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/evaltest.dat
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..bcc2742
--- /dev/null
+++ b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16 
+            remote_ts = 10.2.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
diff --git a/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..12cee0f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16 
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/net2net-childless/posttest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/posttest.dat

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/posttest.dat
diff --git a/testing/tests/swanctl/net2net-childless/pretest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/net2net-childless/pretest.dat

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/pretest.dat
diff --git a/testing/tests/swanctl/net2net-cert/test.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/test.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-cert/test.conf

rename to testing/tests/ikev2/net2net-sha3-rsa-cert/test.conf
diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index f532068..9c67ed6
--- a/testing/tests/ikev2/net2net-start/description.txt
+++ b/testing/tests/ikev2/net2net-start/description.txt
@@ -2,7 +2,5 @@ A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
  respectively, is automatically established by means of the setting
  <b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
  behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
+gateway <b>sun</b>. The updown script automatically inserts iptables-based
+firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 5c4aa85..4c56d52
--- a/testing/tests/ikev2/net2net-start/evaltest.dat
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -1,7 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
  sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8d89cd0..ad4c18e
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1f7aa73..cc6a5bf
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index b3f3710..77a8e1a
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,5 +1,5 @@
-moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-moon::sleep 1
+moon::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+moon::sleep 0.5
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 646b8b3..07a3b24
--- a/testing/tests/ikev2/net2net-start/test.conf
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/ocsp-disabled/description.txt b/testing/tests/ikev2/ocsp-disabled/description.txt

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/description.txt

rename to testing/tests/ikev2/ocsp-disabled/description.txt
diff --git a/testing/tests/swanctl/ocsp-disabled/evaltest.dat b/testing/tests/ikev2/ocsp-disabled/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/evaltest.dat

rename to testing/tests/ikev2/ocsp-disabled/evaltest.dat
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/ikev2/ocsp-disabled/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/posttest.dat

rename to testing/tests/ikev2/ocsp-disabled/posttest.dat
diff --git a/testing/tests/ikev2/ocsp-disabled/pretest.dat b/testing/tests/ikev2/ocsp-disabled/pretest.dat

new file mode 100644 (file)

index 0000000..87be755
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-disabled/pretest.dat
@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ocsp-disabled/test.conf b/testing/tests/ikev2/ocsp-disabled/test.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-disabled/test.conf

rename to testing/tests/ikev2/ocsp-disabled/test.conf
diff --git a/testing/tests/ikev2/ocsp-local-cert/description.txt b/testing/tests/ikev2/ocsp-local-cert/description.txt

index 61f7d995718504866591615b58db8e4bb29d7f38..a54bc67764a020d64c656c357fd26b15beeb6171 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-local-cert/description.txt
@@ -1,8 +1,8 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which possesses a <b>self-signed</b>
-OCSP signer certificate that must be imported locally by the peers into 
-<b>/etc/ipsec.d/ocspcerts/</b>.  A strongswan <b>ca</b> section in ipsec.conf
+OCSP signer certificate that must be imported locally by the peers into the
+<b>/etc/swanctl/x509ocsp/</b> directory.  A strongswan <b>ca</b> section in ipsec.conf
  defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
  <p>
  <b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat

index e931afb7e989b3671eae1df19ae5499762ff3e32..161d6b29e67e05aea5b8b5dccb2fb42d77d10399 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -1,12 +1,12 @@
-moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
  moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
-moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*OCSP Self-Signed Authority::YES
  moon:: cat /var/log/daemon.log::ocsp response is valid::YES
  moon:: cat /var/log/daemon.log::certificate status is good::YES
-carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
  carol::cat /var/log/daemon.log::requesting ocsp status from::YES
-carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by.*OCSP Self-Signed Authority::YES
  carol::cat /var/log/daemon.log::ocsp response is valid::YES
  carol::cat /var/log/daemon.log::certificate status is good::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 05e27f6..0000000
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..c7b494ddca5b9a0a2b14098ad9a701ed63059560 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100644 (file)

index 0000000..b3487e6
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e441e66..0000000
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d9c31430be44471da0789f95748bc124e790f1e9 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..39210bd
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-local-cert/posttest.dat b/testing/tests/ikev2/ocsp-local-cert/posttest.dat

index 0c05c16a1185d53a26573c3cd5d4ea9719d546f8..6e84fa99ec2318fb97ae0757f7c57541a8660d9a 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/ocspcerts/*
-carol::rm /etc/ipsec.d/ocspcerts/*
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::rm /etc/swanctl/x509ocsp/*
+moon::rm /etc/swanctl/x509ocsp/*
+\ No newline at end of file
diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/ocsp-local-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat

deleted file mode 100644 (file)

index baeccb3..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES
-carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
-dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
-moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
-moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
-carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
-dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
-moon:: cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::certificate status is good::YES
-dave:: cat /var/log/daemon.log::certificate status is good::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*CN=carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*CN=dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::ESTABLISHED.*CN=carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::ESTABLISHED.*CN=dave@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 4d3aa1c..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-       
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 756d6ec..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-       
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-       
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index ba484eb..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-ca research
-       cacert=researchCert.pem
-       ocspuri=http://ocsp.strongswan.org:8881
-       auto=add
-
-ca sales
-       cacert=salesCert.pem
-       ocspuri=http://ocsp.strongswan.org:8882
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-multi-level/posttest.dat b/testing/tests/ikev2/ocsp-multi-level/posttest.dat

deleted file mode 100644 (file)

index 1646d5e..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat

deleted file mode 100644 (file)

index b660f2d..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-carol::expect-connection alice
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
-\ No newline at end of file
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/ocsp-multi-level/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/description.txt b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt

index 4fa492c1447362a6dd847700a755f36cdbd8d0fb..15c491dad9cd589ca8358671edb15d2fc163c917 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt
@@ -1,4 +1,4 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which is sending a normal host
  certificate not containing an OCSPSigning extended key usage flag. As a consequence
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat

index a6ae74fe36bdaba1569d48afff79e63e88f2338e..bb271f8f5114f4896545578c4af1b0e3c4ea7b42 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
  moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
  moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES
  moon:: cat /var/log/daemon.log::certificate status is not available::YES
  moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
  carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 05e27f6..0000000
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c6a4433
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
+
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e441e66..0000000
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b86e0cf
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,22 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat

index 1af117cf0a190fe17eff91d96dbc3bf9ff855d8d..f9d38be139c1fe7f571bdc15bcb98e8fc6d48e60 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
@@ -1,3 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat

index 903d1e9a8d6f9da73614854c9dce066756852c17..25d5b9c296e8fb00cf911040f71a57365d8b136c 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
@@ -1,6 +1,6 @@
  moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-revoked/description.txt b/testing/tests/ikev2/ocsp-revoked/description.txt

index 73d0725492bd4f9e6013190d8a14350065cbdbf6..c0053634997c1d120585e41545adebf7c0cd38f0 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/description.txt
+++ b/testing/tests/ikev2/ocsp-revoked/description.txt
@@ -1,9 +1,9 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
  issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
-extended key usage flag. A strongswan <b>ca</b> section in ipsec.conf defines an
+extended key usage flag. A strongswan <b>authorities</b> section in swanctl.conf defines an
  <b>OCSP URI</b> pointing to <b>winnetou</b>.
  <p>
-<b>carol</b> tries to initiate an IPsec connection to <b>moon</b> but fails 
+<b>carol</b> tries to initiate an IPsec connection to <b>moon</b> but fails
  because <b>carol</b>'s certificate has been <b>revoked</b>.
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat

index 97006c93e08f9c2340d0160178e65b7fc953ebb4..5234b5efc5162d81518461f089e5f6970ffb88e5 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -1,8 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
  moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
  moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
  moon:: cat /var/log/daemon.log::certificate was revoked on::YES
  moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
  carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 17225d2..0000000
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-
-conn home
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c6a4433
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
+
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e441e66..0000000
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..58f2ee9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-revoked/posttest.dat b/testing/tests/ikev2/ocsp-revoked/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..79ad33de60f3f24a04ca8a0371a182e82bbd90db 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/posttest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/posttest.dat
@@ -1,2 +1,2 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..1cf07245b02327d7604a6f19c93846e8c1e15414 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/pretest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/ocsp-revoked/test.conf
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-root-cert/description.txt b/testing/tests/ikev2/ocsp-root-cert/description.txt

index 9574aa5b1590beeee7eaa9427f39630787014e4f..376a4c7e20819966ced5f99a89cc3478f567ac17 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-root-cert/description.txt
@@ -1,8 +1,7 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which uses the <b>strongSwan CA</b>'s
-private key to sign OCSP responses. A <b>strongswan ca</b> section in ipsec.conf
-defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
-<p>
+private key to sign OCSP responses.
+<p/>
  <b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
  the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat

index 0f852d7b1a97acbe8d502550db7ebf66f6e5566e..f054a84c6b5389bbb843dac6e40c61e2d573aee4 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -1,3 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
  moon:: cat /var/log/daemon.log::requesting ocsp status::YES
  moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
  moon:: cat /var/log/daemon.log::ocsp response is valid::YES
@@ -6,5 +8,3 @@ carol::cat /var/log/daemon.log::requesting ocsp status::YES
  carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
  carol::cat /var/log/daemon.log::ocsp response is valid::YES
  carol::cat /var/log/daemon.log::certificate status is good::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 05e27f6..0000000
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..ba2c31e550d66f2e4a65e0a9808eab2c6f9ac4ca 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..445c79f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
+
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+          }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e441e66..0000000
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..ba2c31e550d66f2e4a65e0a9808eab2c6f9ac4ca 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..578c05c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+          }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi

similarity index 94%

rename from testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi

rename to testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi

index 59c35630273ae9bcd10b22e49b3eea358e5adf9f..74ca4181ccaa6c01defe8809fba15e2ec829712e 100755 (executable)
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -1,6 +1,6 @@
  #!/bin/bash
  
-cd /etc/openssl
+cd /etc/ca
  
  echo "Content-type: application/ocsp-response"
  echo ""
diff --git a/testing/tests/ikev2/ocsp-root-cert/posttest.dat b/testing/tests/ikev2/ocsp-root-cert/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..f9d38be139c1fe7f571bdc15bcb98e8fc6d48e60 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/posttest.dat
@@ -1,2 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..25d5b9c296e8fb00cf911040f71a57365d8b136c 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat
@@ -1,5 +1,6 @@
-moon::ipsec start
-carol::ipsec start
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..fdda0a04cb8b93739090aef7371ad388cd92f917 100644 (file)
--- a/testing/tests/ikev2/ocsp-root-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -19,3 +19,6 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt

index 7c7efb68e5bc25acab36ac797323ac1b29e87f73..6517d5f837c3ba07817e62142f41e6287be04326 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt
@@ -1,10 +1,10 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
  issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
  extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
-in an authority information access extension pointing to <b>winnetou</b>. 
-Therefore no special ca section information is needed in moon's ipsec.conf.
-<p>
+in an authority information access extension pointing to <b>winnetou</b>.
+Therefore no special authorities section information is needed in moon's swanctl.conf.
+<p/>
  <b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
  the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat

index 7c7813cffbdfd3fbad93fd3e7b785f61a5db7650..45972168dc849cb605625387ecfa4f26572636cf 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -1,4 +1,4 @@
-carol::ipsec listcainfos 2> /dev/null::ocspuris.*http://ocsp.strongswan.org::YES
+carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
  moon:: cat /var/log/daemon.log::requesting ocsp status::YES
  moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
  moon:: cat /var/log/daemon.log::ocsp response is valid::YES
@@ -7,6 +7,5 @@ carol::cat /var/log/daemon.log::requesting ocsp status::YES
  carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
  carol::cat /var/log/daemon.log::ocsp response is valid::YES
  carol::cat /var/log/daemon.log::certificate status is good::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 17225d2..0000000
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-
-conn home
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..c7b494ddca5b9a0a2b14098ad9a701ed63059560 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 2cec885..0000000
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d9c31430be44471da0789f95748bc124e790f1e9 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..20a78fa78f2e050258a583916f3b85471acff2cf 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat
@@ -1,2 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat

deleted file mode 100644 (file)

index 934df4e..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon:: cat /var/log/daemon.log::libcurl request failed::YES
-moon:: cat /var/log/daemon.log::certificate status is not available::YES
-moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
-moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index fa68b2a..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=ifuri
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 48e8fc6..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index b007f52..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=ifuri
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-
-conn alice
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 1ed94f9..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=ifuri
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
-       auto=add
-
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat

deleted file mode 100644 (file)

index 1646d5e..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat

deleted file mode 100644 (file)

index eedd737..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection alice
-carol::expect-connection alice
-carol::ipsec up alice
-dave::expect-connection venus
-dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt

index ad7de9ecccbb4381cc7fa52c64d6979b0d650971..19b3a347097ca5eb83677d015cd2419dabb1875c 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt
+++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
@@ -1,9 +1,9 @@
  This scenario is based on <a href="../ocsp-signer-cert">ikev2/ocsp-signer-cert</a>
  and tests the timeouts of the <b>libcurl</b> library used for http-based OCSP fetching
-by adding an ocspuri2 in <b>moon</b>'s strongswan ca section that cannot be resolved by
-<b>DNS</b> and an ocspuri2 in <b>carol</b>'s strongswan ca section on which no
-OCSP server is listening. Thanks to timeouts the connection can nevertheless
-be established successfully by contacting a valid OCSP URI contained in
+by adding an ocsp_uris entry in <b>moon</b>'s strongswan authority section that cannot
+be resolved by <b>DNS</b> and an ocsp_uris entry in <b>carol</b>'s strongswan authority
+section on which no OCSP server is listening. Thanks to timeouts the connection can
+nevertheless be established successfully by contacting a valid OCSP URI contained in
  <b>carol</b>'s certificate.
  <p>
  As an additional test the OCSP response is delayed by a few seconds in order to check
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat

index d4e41dbb88c0d823449ce713adb05f30da9061fd..186228d7fa858b99c7b33e202c17c42cafa1fd8c 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -8,5 +8,5 @@ carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed
  carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
  carol::cat /var/log/daemon.log::ocsp response is valid::YES
  carol::cat /var/log/daemon.log::certificate status is good::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 74d363f..0000000
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-        ocspuri1=http://bob.strongswan.org:8800
-       ocspuri2=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-
-conn home
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index fac55d6..0000000
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..c7b494ddca5b9a0a2b14098ad9a701ed63059560 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100644 (file)

index 0000000..6907b8d
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://bob.strongswan.org:8800, http://ocsp.strongswan.org:8880
+   }
+}
+
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f307c12..0000000
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri2=http://ocsp2.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d9c31430be44471da0789f95748bc124e790f1e9 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..645d5b8
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp2.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi

similarity index 94%

rename from testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi

rename to testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi

index 46a716f838ed7de26c87b04f7e8fc5dfca0d1a5e..7dd3ddb0f86446081de86e5fd1b12a01c6e7b21b 100755 (executable)
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -1,6 +1,6 @@
  #!/bin/bash
  
-cd /etc/openssl
+cd /etc/ca
  
  echo "Content-type: application/ocsp-response"
  echo ""
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat

index c6d6235f9da76c2e037f7e0738c13c51cccf6650..6e84fa99ec2318fb97ae0757f7c57541a8660d9a 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat
@@ -1,2 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::rm /etc/swanctl/x509ocsp/*
+moon::rm /etc/swanctl/x509ocsp/*
+\ No newline at end of file
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat

index d7f7959f1f8b1267638e6f1436826ddef1081872..87be755a3c80200783084c095f8f018b7c2eec07 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
@@ -1,5 +1,5 @@
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt

index d17534b1b5eb780edd752f11918a30210183e352..befb3fc06e3c23a890c530f0c72ad5390446ed1d 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt
@@ -1,7 +1,6 @@
  This scenario is based on <a href="../ocsp-signer-cert">ikev2/ocsp-signer-cert</a>
  and tests the timeouts of the <b>libcurl</b> library used for http-based OCSP fetching
-by adding an ocspuri1 in <b>moon</b>'s strongswan ca section on which no OCSP
-server is listening and an ocspuri2 that cannot be resolved by <b>DNS</b>.
+by adding two ocsp_uris in <b>moon</b>'s strongswan authorities section on the first
+of which no OCSP server is listening and the second URI cannot be resolved by <b>DNS</b>.
  Since the certificate status is <b>unknown</b> the connection setup is aborted by
  <b>moon</b> with an <b>AUTHORIZATION_FAILED</b> notification sent to <b>carol</b>.
-
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat

index cb7997f7252cb8209fb0c196da41e6b66afd2faa..9153d493105ac53a7fd3941c609c09a17e90a701 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -2,6 +2,5 @@ moon:: cat /var/log/daemon.log::libcurl request failed::YES
  moon:: cat /var/log/daemon.log::certificate status is not available::YES
  moon:: cat /var/log/daemon.log::constraint check failed::YES
  carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 459da14..0000000
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri1=http://bob.strongswan.org:8800
-        ocspuri2=http://ocsp2.strongswan.org:8880
-       auto=add
-                       
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-
-conn home
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..c7b494ddca5b9a0a2b14098ad9a701ed63059560 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100644 (file)

index 0000000..0783458
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://bob.strongswan.org:8800, http://ocsp2.strongswan.org:8880
+   }
+}
+
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index a464f01..0000000
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri1=http://bob.strongswan.org:8800
-       ocspuri2=http://ocsp2.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d9c31430be44471da0789f95748bc124e790f1e9 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..59dde6f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://bob.strongswan.org:8800, http://ocsp2.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi

new file mode 100755 (executable)

index 0000000..7dd3ddb
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+cd /etc/ca
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+# simulate a delayed response
+sleep 2
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+       -rkey ocspKey.pem -rsigner ocspCert.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat

index cf72480d4527d1ae4e328c4fec63bf1e5f605d2c..85f0d30a3a688e4ea92d214b90c4efd715cf151d 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables -F OUTPUT
  carol::iptables -F OUTPUT
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat

index 0c9d5a9b165ff3c315dbe6d720e32258f7777ee7..e16270e2f170d1b168e0ecbae10bd5dcb6e0ec4f 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
  carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt

index f581dd3192b524cb21837d2f0589dc4eefe5a3a1..4c078117f6dc426ed4723fa8b6cb8484b8f22e63 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt
@@ -1,9 +1,8 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+By setting <b>revocation = strict</b>, a <b>strict</b> CRL policy is enforced on
  both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
  is checked via the OCSP server <b>winnetou</b> which is sending its <b>self-signed</b>
-OCSP signer certificate. A strongswan <b>ca</b> section in ipsec.conf
-defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
-<p>
+OCSP signer certificate.
+<p/>
  <b>carol</b> cannot successfully initiate an IPsec connection to <b>moon</b> since
  the self-signed certificate contained in the OCSP response will not be
  accepted by <b>moon</b>.
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat

index 0e97d45bd2fb14a40e97a47ed6f35733bff5b728..1c6a21f93421461e9bccc834c9298f3cc45d565e 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,5 +2,5 @@ moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
  moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer certificate::YES
  moon:: cat /var/log/daemon.log::certificate status is not available::YES
  moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 05e27f6..0000000
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf

index 48e8fc6ff750e65ba83397787b96d1b96c9d62ba..c7b494ddca5b9a0a2b14098ad9a701ed63059560 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100644 (file)

index 0000000..6fd2297
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e441e66..0000000
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-ca strongswan-ca
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       auto=add
-
-conn %default
-       keyexchange=ikev2
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf

index 7a64dce3033586949eb4732027f3d9f40fe83cc7..d9c31430be44471da0789f95748bc124e790f1e9 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
  }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..7103071
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat

index 1af117cf0a190fe17eff91d96dbc3bf9ff855d8d..f9d38be139c1fe7f571bdc15bcb98e8fc6d48e60 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
@@ -1,3 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat

index 903d1e9a8d6f9da73614854c9dce066756852c17..1e510f23095cddd11f86e605983eaed1db3c3ad6 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
@@ -1,6 +1,6 @@
  moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf

index 892f51cd9306c5a0f64b3f749bdae7f9a5e9d4ca..c5b3ecc4353c853ecba8a46242d2033e664b2bc1 100644 (file)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/protoport-dual/description.txt b/testing/tests/ikev2/protoport-dual/description.txt

index 7bed8b9590d4fa84fbf15f969da55827bcb1dd7a..a93abf119ef46e63be35cca5d3425ab719c5eb25 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/description.txt
+++ b/testing/tests/ikev2/protoport-dual/description.txt
@@ -1,6 +1,8 @@
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. The established tunnels are tested
-by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
-then setting up an SSH session to the same client.
+Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
+<b>local_ts</b> and <b>remote_ts</b> child parameters, two IPsec tunnels
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
+The first CHILD_SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections.
+<p/>
+The established tunnels are tested by <b>carol</b> by first pinging <b>alice</b>
+behind <b>moon</b> and then setting up an SSH session to the same client.
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat

index 7d367e3c158b0e711ceb505daaefbae732117c73..b5eec4b31fc84cbaa1cc92030299766dfc2e13a4 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -1,9 +1,7 @@
-carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
  carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/posttest.dat
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat

index 02f4aa82be2595cffef69952f327d5301ab5c02a..f0563179c1b14e7df87823b7da443b4462681f75 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -1,10 +1,10 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-icmp
-moon::expect-connection rw-ssh
-carol::expect-connection home-icmp
-carol::expect-connection home-ssh
-carol::ipsec up home-icmp
-carol::ipsec up home-ssh
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection icmp
+moon::expect-connection ssh
+carol::expect-connection icmp
+carol::expect-connection ssh
+carol::swanctl --initiate --child icmp 2> /dev/null
+carol::swanctl --initiate --child ssh 2> /dev/null
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..307c7e9cc709e726e6f5723f367ac99d9ee2ddc9 100644 (file)
--- a/testing/tests/ikev2/protoport-dual/test.conf
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/protoport-range/description.txt b/testing/tests/ikev2/protoport-range/description.txt

similarity index 99%

rename from testing/tests/swanctl/protoport-range/description.txt

rename to testing/tests/ikev2/protoport-range/description.txt

index 7e64bcd72cb9915b60b295948b125fffb5b5b1f1..fc4ff696db65c6f4d6088dad087ac2af36369b30 100644 (file)
--- a/testing/tests/swanctl/protoport-range/description.txt
+++ b/testing/tests/ikev2/protoport-range/description.txt
@@ -3,5 +3,6 @@ Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
  between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
  The first CHILD_SA is restricted to ICMP request packets, the second
  covers ICMP reply packets and the third TCP-based FTP and SSH connections.
+<p/>
  The established tunnels are tested by <b>carol</b> by first pinging <b>alice</b>
  behind <b>moon</b> and then setting up an SSH session to the same client.
diff --git a/testing/tests/swanctl/protoport-range/evaltest.dat b/testing/tests/ikev2/protoport-range/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/protoport-range/evaltest.dat

rename to testing/tests/ikev2/protoport-range/evaltest.dat
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-range/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-range/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-range/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/protoport-dual/posttest.dat

rename to testing/tests/ikev2/protoport-range/posttest.dat
diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/ikev2/protoport-range/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/protoport-range/pretest.dat

rename to testing/tests/ikev2/protoport-range/pretest.dat
diff --git a/testing/tests/ikev2/protoport-range/test.conf b/testing/tests/ikev2/protoport-range/test.conf

new file mode 100644 (file)

index 0000000..307c7e9
--- /dev/null
+++ b/testing/tests/ikev2/protoport-range/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/protoport-route/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/protoport-route/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/reauth-early/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/reauth-early/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/reauth-late/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/reauth-late/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat

deleted file mode 100644 (file)

index d7f7959..0000000
--- a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/test.conf b/testing/tests/ikev2/reauth-mbb-revoked/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/reauth-mbb-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/reauth-mbb/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat

deleted file mode 100644 (file)

index e34f702..0000000
--- a/testing/tests/ikev2/reauth-mbb/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf

deleted file mode 100644 (file)

index 4a5fc47..0000000
--- a/testing/tests/ikev2/reauth-mbb/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/swanctl/redirect-active/description.txt b/testing/tests/ikev2/redirect-active/description.txt

similarity index 100%

rename from testing/tests/swanctl/redirect-active/description.txt

rename to testing/tests/ikev2/redirect-active/description.txt
diff --git a/testing/tests/swanctl/redirect-active/evaltest.dat b/testing/tests/ikev2/redirect-active/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/redirect-active/evaltest.dat

rename to testing/tests/ikev2/redirect-active/evaltest.dat
diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/iptables.rules

rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules
diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/strongswan.conf

rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/redirect-active/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/redirect-active/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/redirect-active/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/redirect-active/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/redirect-active/posttest.dat b/testing/tests/ikev2/redirect-active/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/redirect-active/posttest.dat

rename to testing/tests/ikev2/redirect-active/posttest.dat
diff --git a/testing/tests/swanctl/redirect-active/pretest.dat b/testing/tests/ikev2/redirect-active/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/redirect-active/pretest.dat

rename to testing/tests/ikev2/redirect-active/pretest.dat
diff --git a/testing/tests/swanctl/redirect-active/test.conf b/testing/tests/ikev2/redirect-active/test.conf

similarity index 100%

rename from testing/tests/swanctl/redirect-active/test.conf

rename to testing/tests/ikev2/redirect-active/test.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/description.txt b/testing/tests/ikev2/rw-cert-ppk/description.txt

similarity index 99%

rename from testing/tests/swanctl/rw-cert-ppk/description.txt

rename to testing/tests/ikev2/rw-cert-ppk/description.txt

index 53e10335936f50888ddc6f63f983ce767bd07129..e57ba75401d38856e26e52d451046d5cf5cca249 100755 (executable)
--- a/testing/tests/swanctl/rw-cert-ppk/description.txt
+++ b/testing/tests/ikev2/rw-cert-ppk/description.txt
@@ -5,6 +5,7 @@ derived key material. The PPK_ID used by <b>dave</b> is unknown to <b>moon</b>
  but since both peers don't enforce the use of a PPK they fall back to regular
  authentication by use of the authentication data provided in the NO_PPK_AUTH
  notify.
+<p/>
  Upon the successful establishment of the IPsec tunnels, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
diff --git a/testing/tests/swanctl/rw-cert-ppk/evaltest.dat b/testing/tests/ikev2/rw-cert-ppk/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/evaltest.dat

rename to testing/tests/ikev2/rw-cert-ppk/evaltest.dat
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-ppk/posttest.dat b/testing/tests/ikev2/rw-cert-ppk/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/posttest.dat

rename to testing/tests/ikev2/rw-cert-ppk/posttest.dat
diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/ikev2/rw-cert-ppk/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/ip-pool/pretest.dat

rename to testing/tests/ikev2/rw-cert-ppk/pretest.dat
diff --git a/testing/tests/swanctl/rw-cert/test.conf b/testing/tests/ikev2/rw-cert-ppk/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert/test.conf

rename to testing/tests/ikev2/rw-cert-ppk/test.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/description.txt b/testing/tests/ikev2/rw-cert-pss/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/description.txt

rename to testing/tests/ikev2/rw-cert-pss/description.txt
diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/ikev2/rw-cert-pss/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/evaltest.dat

rename to testing/tests/ikev2/rw-cert-pss/evaltest.dat
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert-pss/posttest.dat b/testing/tests/ikev2/rw-cert-pss/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/posttest.dat

rename to testing/tests/ikev2/rw-cert-pss/posttest.dat
diff --git a/testing/tests/swanctl/rw-cert-ppk/pretest.dat b/testing/tests/ikev2/rw-cert-pss/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-ppk/pretest.dat

rename to testing/tests/ikev2/rw-cert-pss/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-cert-pss/test.conf

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-md5/test.conf

rename to testing/tests/ikev2/rw-cert-pss/test.conf
diff --git a/testing/tests/ikev2/rw-cert/description.txt b/testing/tests/ikev2/rw-cert/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 15b3822..f190c07
--- a/testing/tests/ikev2/rw-cert/description.txt
+++ b/testing/tests/ikev2/rw-cert/description.txt
@@ -1,6 +1,7 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 849d59a..8a8a95f
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -1,14 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8ecdb71..aeb1b75
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+charon-systemd {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8ecdb71..aeb1b75
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+charon-systemd {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 8ecdb71..f12797e
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,14 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  
    integrity_test = yes
+
    crypto_test {
      on_add = yes
    }
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-cert/test.conf
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt

index 0135f078c6024cc05211edcb6fd3105c79e3f5e5..d26485303e3b1cae18c6cf017996397247005e32 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/description.txt
+++ b/testing/tests/ikev2/rw-dnssec/description.txt
@@ -3,8 +3,10 @@ The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
  resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
  </p>
  Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
-tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
-<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
-and <b>dave1</b>, respectively.
+by using the <b>vips = 0.0.0.0</b> parameter.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b>
+behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual IPs
+<b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat

index ea7103a66dac274ef87e2fc27c9aa2ad677ce42f..73a2ff4b0604c546c7cd73f86f645c37c72875a1 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/evaltest.dat
+++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat
@@ -1,19 +1,15 @@
  carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
  carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
  dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
  moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 082b18a..0000000
--- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=%any
-       leftsourceip=%config
-       leftid=carol.strongswan.org
-       leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
-       leftauth=pubkey
-       leftfirewall=yes
-       right=moon.strongswan.org
-       rightid=moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf

index 29fa36133d4f99f17f61b48ad4a09953467d89d9..6339790cdd3fdc49885f04473701f8f2d1ffad9a 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,14 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
  
    plugins {
      ipseckey {
        enable = yes
      }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
    }
  }
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index a68f981..0000000
--- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=%any
-       leftsourceip=%config
-       leftid=dave.strongswan.org
-       leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
-       leftauth=pubkey
-       leftfirewall=yes
-       right=moon.strongswan.org
-       rightid=moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf

index 0d3c7b781cab541e69f3c393f2384a5d6c610468..6339790cdd3fdc49885f04473701f8f2d1ffad9a 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,14 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
  
    plugins {
      ipseckey {
        enable = yes
      }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
    }
  }
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 3c5c64c..0000000
--- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftid=moon.strongswan.org
-       leftauth=pubkey
-       leftsigkey=moonPub.pem
-       leftfirewall=yes
-       right=%any
-       rightauth=pubkey
-       rightsourceip=10.3.0.0/24
-       auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf

index fa853d435fbfbecd3e63fff8c94f78ce72541b72..617b812d575b56661a512fac79f6e5ef8151a5e3 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac stroke kernel-netlink socket-default updown attr
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr
  
    dns1 = PH_IP_WINNETOU
    dns2 = PH_IP_VENUS
@@ -10,5 +10,8 @@ charon {
      ipseckey {
        enable = yes
      }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
    }
  }
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys

similarity index 100%

rename from testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys

rename to testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat

index 17572e0bd7ed44fb9e77f8fe9a8edc396b7a3081..3a662980f8e361b1b8d01c2b71003eda2710da01 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/posttest.dat
+++ b/testing/tests/ikev2/rw-dnssec/posttest.dat
@@ -1,12 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::cd /etc/swanctl; rm dnssec.keys pubkey/*
+carol::cd /etc/swanctl; rm dnssec.keys pubkey/*
+dave::cd /etc/swanctl; rm dnssec.keys pubkey/*
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/resolv.conf
-carol::rm /etc/resolv.conf
-dave::rm /etc/resolv.conf
-moon::rm /etc/ipsec.d/dnssec.keys
-carol::rm /etc/ipsec.d/dnssec.keys
-dave::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat

index ee5bc7c721103a0acec00b5b668ccf899220133a..94c1fc82c5657d6a41b1340d4531f29370df7767 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/pretest.dat
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+carol::cd /etc/swanctl; rm x509/* x509ca/*
+dave::cd /etc/swanctl; rm x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf

index 164b07ff9761f484661799c906b1a3792c30b9a5..a542d037ed56442e8f40156a1baa17c18f2b041e 100644 (file)
--- a/testing/tests/ikev2/rw-dnssec/test.conf
+++ b/testing/tests/ikev2/rw-dnssec/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt

index 893a272303cf3a095109cced852f0151e56cb009..c39829dd5b992bfb8b572401b0c336e01eed7479 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
@@ -4,7 +4,7 @@ an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
  <p/>
  Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
  method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
-This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
  is used instead of a USIM/(R)UIM device.
  <p/>
  In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat

index 25871f893040ef07496b16e5e1a707c17a4344cf..a655543f9c27e9300c31ccdfb68b2fbc0e165427 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -3,12 +3,8 @@ carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf

index 364b8c0fc5edc97b8582b11f33fb724d99b7d27c..1582b2b01b24a914df945e8a9071d599b6c96728 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf

index 364b8c0fc5edc97b8582b11f33fb724d99b7d27c..1582b2b01b24a914df945e8a9071d599b6c96728 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat

index 1578796a1e1ff1686a4f1e0cd2931c296df74b99..68075b0920ee11390dd5776ea896a886ddc04384 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt

index da5b72735e854db92cd4d5cba3de2353cea53e0b..0138e35f5a15c93943a9119775cb0754975a0012 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
@@ -4,5 +4,5 @@ an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
  <p/>
  Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
  method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
-This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
-is used instead of a USIM/(R)UIM device.
-\ No newline at end of file
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat

index 795164c7f7e0352525fe12ed484b773297715dad..0d4f7419771b097f3033ddcaa50a3c0c4695561a 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -2,12 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
  carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf

index a919d68ec2b62f7760da74279f739a18452a4841..4d4fc3583e6a8fae4dba919669f2c12266dc035a 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  integrity_test = yes
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf

index a919d68ec2b62f7760da74279f739a18452a4841..4d4fc3583e6a8fae4dba919669f2c12266dc035a 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  integrity_test = yes
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat

index ee4673009a3cd65531b5f03fb13c931982ef2fa6..68075b0920ee11390dd5776ea896a886ddc04384 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-eap-aka
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat

index b31a4680989a7b1ac4dd7371b2bd4138047810b1..b529b4bcefebad7992d63543e34c3ed0a3f8bc9b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat
@@ -3,12 +3,8 @@ carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf

index 81d2c8e74ac89c03bea2add5e6e45146699461a6..653488a6655f3fa65b2ba4608512b4f4cb0edab8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
  
    plugins {
      eap-simaka-sql {
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf

index 81d2c8e74ac89c03bea2add5e6e45146699461a6..653488a6655f3fa65b2ba4608512b4f4cb0edab8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
  
    plugins {
      eap-simaka-sql {
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat

index e3d7998a95e45432a65f003d15ef1a280eb1ba04..6356b88474dda56f0aa736f0b8dfa37e5b048ea7 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat
@@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
  moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
-moon::ipsec start
-carol::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat

deleted file mode 100644 (file)

index 046d4cf..0000000
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt

index a1512ca9eb8a77ffd9fd4fcc4d53ceac51567a8a..42db2e199f5e921d8c9ac3acfc1d765cbf38e2e5 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt
@@ -1,10 +1,10 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
  At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with an  <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
-In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+In addition to her IKEv2 identity<b>carol@strongswan.org</b>, roadwarrior
  <b>carol</b> uses the EAP identity <b>carol</b>.
-The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
-and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat

index 60a5a778dd4d3c4eb7de25ba644f2193716226a2..3080ec15a66576bd2c80bb4007ac8c706b404d04 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -3,12 +3,8 @@ moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
  carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
  carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..23cba8d11b7e26049e9c9689c4d1f91f511d13c9 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

index 1dc69d90dcfbab9046975e72aa544224e542466d..2bbe1d730086d4a401ef0347faa6c8c08cfcfbdc 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -8,6 +8,7 @@ listen {
  
  authorize {
    preprocess
+  suffix
    eap {
      ok = return
    }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf

index 783587b55650c042a2f38ffe550a6a0895324c55..23cba8d11b7e26049e9c9689c4d1f91f511d13c9 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -1,4 +1,4 @@
-realm LOCAL {
+realm strongswan.org {
    type     = radius
    authhost = LOCAL
    accthost = LOCAL
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default

index a67a5dcb42a28a43afeb359ad4a9ed4d5f87bdd8..dd0825858a93e712edee8ab89bc7c2a937577d76 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,4 +1,5 @@
  authorize {
+  suffix
    eap {
      ok = return
    }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf

index 0250ce3b123b1d21858e1404e01c36314abf3ef3..d2cc789b3f9568911f2b218e98b7f9805765023a 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf

index 3a8d5c20c2850c3d9a8cca2bf3820e62f481121f..fa363c3455dd93fc8f82ebc9e54e3b69d8a94c9b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
  
    plugins {
      eap-radius {
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat

index 4361417fd1df1686627e8a5dc2ced483a993c44b..4b05d1f78ce782b372671f4311b32d354ecc6f57 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat

index 012323f8f4180714c7f979e13f6a8dd39784fa93..193f9e9c8c5bd21d9a6fe9ec5b2e1d6ebec82dbd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,8 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf

index eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7..0d9e9f3d437913f8521bc332836a6a94db23a760 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/description.txt
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/evaltest.dat
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/posttest.dat
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/test.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-id-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/description.txt
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/evaltest.dat
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/protoport-range/posttest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/posttest.dat
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf

rename to testing/tests/ikev2/rw-eap-md5-id-rsa/test.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-radius/description.txt

index 12bdc9fdde98705fbdf148292c64f74af50360f7..f0f241dc1fd4c2f51f4b8749ec97d0aa1ac08c7a 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-radius/description.txt
@@ -1,8 +1,7 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
  At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with an  <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
-The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
-and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat

index f3e5aa0a1e1ca467ca91775735406840a0230989..09a78be83461577f175a17f5e52ce767ec31f19d 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -2,10 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
  carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf

index f399dfbf1e19a6f95299fc165a92e5491635929e..e57629f2e4a1adf3e499c5f8c96f1efdde225612 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf

index 6d37fbb9d6ee22c610092206c189f27487f61a23..bf614014d47c381776f385909ee0afcfa90ddf81 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat

index 4361417fd1df1686627e8a5dc2ced483a993c44b..4b05d1f78ce782b372671f4311b32d354ecc6f57 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat

index 012323f8f4180714c7f979e13f6a8dd39784fa93..193f9e9c8c5bd21d9a6fe9ec5b2e1d6ebec82dbd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,8 +1,9 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf

index eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7..0d9e9f3d437913f8521bc332836a6a94db23a760 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat

index d4617bf42348320118ddf9c4173bc6a3ce4d8454..c0026af4ff5954169b0ea49b87b9243d30233ed8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,12 +1,10 @@
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf

index f399dfbf1e19a6f95299fc165a92e5491635929e..e57629f2e4a1adf3e499c5f8c96f1efdde225612 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf

index f399dfbf1e19a6f95299fc165a92e5491635929e..e57629f2e4a1adf3e499c5f8c96f1efdde225612 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat

index 1578796a1e1ff1686a4f1e0cd2931c296df74b99..68075b0920ee11390dd5776ea896a886ddc04384 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat

index e72426b29ae49a03767098d96771c0378311b62b..a1c2d4e8818e16b3cce4c8ca260f4be1b1ed8696 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,14 +1,11 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
  carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol
+moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf

index 51eaacbe4289291bdad00d2c130289fc2b672d30..d9210aeb562c9d892c9cd74069c9ed12a713d965 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf

index 51eaacbe4289291bdad00d2c130289fc2b672d30..d9210aeb562c9d892c9cd74069c9ed12a713d965 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
  }
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat

index 1578796a1e1ff1686a4f1e0cd2931c296df74b99..68075b0920ee11390dd5776ea896a886ddc04384 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -1,7 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat

index c7884ee0e469f632262ad8da4bc7f185589852db..247aabe179fca35b7ef10fc6aed9668c48879ce3 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -10,14 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO
-moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf

index 80cd79ed778c140e97b7615ae2a402d041dab947..56df2de4533353a4af8c1c8cd5320b3339493a44 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,20 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
    multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf

index 80cd79ed778c140e97b7615ae2a402d041dab947..56df2de4533353a4af8c1c8cd5320b3339493a44 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,20 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
    multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf

index 6a81b4715edf61f13b24a4653accaf219fe11494..347e7f7b2bec6419f590232f1b6546ce9daa82a1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -1,13 +1,22 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
    plugins {
      eap-peap {
        phase2_method = md5
        phase2_piggyback = yes
-   }
- }
+    }
+  }
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat

index 1865a1c60eb1dcb5867d6c1d9bf6605f054c4757..e5c82ef20df134a0dea9e6c8852edda9744e76cd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat

index dccf85419d604ecb538c4b56bf44d15efeba1beb..69f83f67ae7271f270ea7fe164434fd2c12d3e8b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -1,11 +1,13 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf

index f292988506cd9f32494f96885953dd6645e93f3c..1227b9d1c0621726c72b0079de3a23bc6d0581a1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat

index 6ba3e10e9068d8d8fb781834c179b06d6aa358d2..1093e51ada966f81de5b991af6ed396dbb9cb169 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf

index d3f333d543f385ebdfcd17714bc3b02c753bce47..b3fdc5d70a9e48046201b1a764e897c79b0f247b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,20 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
    multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf

index d3f333d543f385ebdfcd17714bc3b02c753bce47..b3fdc5d70a9e48046201b1a764e897c79b0f247b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,20 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
    multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf

index b694c6071258385905d830e3849589fc954d5500..c7023a6838ec28ba94b4c0c3cc68d753bad3b827 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,21 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
    multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
    plugins {
      eap-peap {
        phase2_method = mschapv2
-   }
- }
+    }
+  }
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat

index 1865a1c60eb1dcb5867d6c1d9bf6605f054c4757..e5c82ef20df134a0dea9e6c8852edda9744e76cd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat

index dccf85419d604ecb538c4b56bf44d15efeba1beb..69f83f67ae7271f270ea7fe164434fd2c12d3e8b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -1,11 +1,13 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf

index f292988506cd9f32494f96885953dd6645e93f3c..1227b9d1c0621726c72b0079de3a23bc6d0581a1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/description.txt b/testing/tests/ikev2/rw-eap-peap-radius/description.txt

index 89db03a385ef6f70039c2d3405ac578d09eb1aaf..004068226233a8d5096b0859d4adfd32251435eb 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-peap-radius/description.txt
@@ -1,8 +1,9 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-PEAP</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
-wrong password and fails.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-PEAP</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat

index edfb7cdddadd2e3bf5fcbc6db6aa421d1b32a010..291e249da9447a12b1bfd164f1ccaf72b93209fd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf

index c8c3f856272f84c9bc3296eb124dfbd9c7471260..cb7743f82545ecfd15967ddc8366448875ade361 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf

index c8c3f856272f84c9bc3296eb124dfbd9c7471260..cb7743f82545ecfd15967ddc8366448875ade361 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
  }
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf

index 96815514670b0462a0f829f6ec9ea6ed2b2c6652..bf614014d47c381776f385909ee0afcfa90ddf81 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat

index a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2..a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat

index c98e8ed53a8c2d049baa2909208819dbc0f14eb2..6363fcb5902892f0b86546dcd1dceb81e729f7ba 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,12 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf

index 20d5863094b871ee000fd4e7acadccad31ad31fa..0e5512b655038f627d97147d23dc21852a74b066 100644 (file)
--- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat

index e7d9786349b538ea7345a1e1b98f98794b44f896..038a2c1e166f1e2352671db9ee35627334ce1fbc 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -3,10 +3,8 @@ moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
  carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf

index 51614f7163eff75ed329d582d27c2fe2aa253444..11ae80c1eae17e5b51dfefff71366cb6459fbbff 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf

index 3a8d5c20c2850c3d9a8cca2bf3820e62f481121f..fa363c3455dd93fc8f82ebc9e54e3b69d8a94c9b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
  
    plugins {
      eap-radius {
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat

index 4361417fd1df1686627e8a5dc2ced483a993c44b..4b05d1f78ce782b372671f4311b32d354ecc6f57 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat

index 53aa83f0cba89f1e5fbce176a29fcd2784d97ad5..18411263eca44d995d6c9e556d0f9921277fdcc8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,9 +1,10 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
  carol::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf

index eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7..0d9e9f3d437913f8521bc332836a6a94db23a760 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat

index 8502d7a72e78c7756a90ed45284faf0080a03012..3d3359775d532ead3a8581a45fdd80d29390c18b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -2,14 +2,12 @@ carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
  dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default

index 8d68b81fc22fa26562fcd841f30132040f242d9e..51b64a74b38ed4c4fb93a5e084029e4e7495ae47 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,4 +1,7 @@
  authorize {
+  preprocess
+  chap
+  mschap
    files
    suffix
    update reply {
@@ -15,9 +18,24 @@ authorize {
    eap {
      ok = return
    }
+  unix
+  files
+  expiration
+  logintime
+  pap
  }
  
  authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
    eap
  }
  
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf

index 195893a18851b0cb27110f40c3ec1ac5e0ba0adb..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf

index 195893a18851b0cb27110f40c3ec1ac5e0ba0adb..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf

index 6725cf8303ab5cc369493d7a2d0925acdb9204a6..bf614014d47c381776f385909ee0afcfa90ddf81 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat

index a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2..a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat

index 04b824def890b54747449236771e0693f13f1995..867c7248c1397cbc139f7e68296cb569fd0f7275 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,20 +1,16 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
  carol::cat /etc/ipsec.d/triplets.dat
  dave::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf

index 29bfaa78c964e9030691c0bfac7b7d3906d547f7..93f23f1d6e462d03ce8f9c87ada1f3b3d688a174 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat

index 0c9c2b4a7e7f45c23f7e0175c64998d230c7f0f1..476e4e1fc652d12b8f046bba07c6cdc0039b8ba0 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -2,14 +2,12 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
  carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
  dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf

index e78434f8f8c80c7a2b81f13af566b4f603b16322..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf

index e78434f8f8c80c7a2b81f13af566b4f603b16322..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf

index 6d37fbb9d6ee22c610092206c189f27487f61a23..bf614014d47c381776f385909ee0afcfa90ddf81 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat

index a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2..a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat

index e171997bc39575a68d4db895a866c4b63f1e4948..867c7248c1397cbc139f7e68296cb569fd0f7275 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,14 +1,16 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
  carol::cat /etc/ipsec.d/triplets.dat
  dave::cat /etc/ipsec.d/triplets.dat
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf

index 42d23a50bb5d79ce79b974f1fafd7091e94f3dbe..93f23f1d6e462d03ce8f9c87ada1f3b3d688a174 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
  # Guest instances on which FreeRadius is started
  #
  RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat

index 17e3157f8745cd2703abbb58c6d3e3bbffa711e2..1e967896e9df53504e492d0ac8d98260af64abf6 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,10 +1,9 @@
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf

index e652c52d7d564ad698c978d557ae37537cd193b3..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
  
-  integrity_test = yes
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
  }
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf

index 0015835136c32a2e042075feba1a24f9de720b16..bcd8ef0e33ab2cb226f8d0cbe4a21d882f30b550 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-
-  integrity_test = yes
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
  }
  
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat

index 71cab1fbf08aaf5a460574f83847a6069f5316ea..68075b0920ee11390dd5776ea896a886ddc04384 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -1,9 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::cat /etc/ipsec.d/triplets.dat
-carol::cat /etc/ipsec.d/triplets.dat
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-eap-sim
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf

index e093d43d831fc7d7af507f590d5046de2ffde70a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat

index 100919a0590d2d8fa50e90bc3f9afbc862a382d3..c9f34629307b4c45d88513635d89f8f963d704b5 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -3,8 +3,8 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
  carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
  carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf

index a4e10a0318fdf2ccfea0e79b359236dc09962b7d..0b9b3995197d1b92226042483c996e93239a63bf 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
  
    multiple_authentication=no
    syslog {
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf

index f7a382d9e0ef53b02aa5752c982935a07ce24ea9..69bff64c6fdac7825677f9e8dcdc1434c60bc017 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
  
    multiple_authentication=no
    syslog {
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat

index 046d4cfdc4678f1e7553cba9f099f029f7f6617f..af9cda6cafd7428b45e9ab69dc8f50856ff4c707 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat

index 1578796a1e1ff1686a4f1e0cd2931c296df74b99..1e8e27fdf4f14df5fb1744766230da810fdedd96 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -1,7 +1,7 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf

index 4a5fc470f0e67c4565d3360e777fb0ef6442ab2a..97b89cb611f3c503b17a66dd80ef8258006eada8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -5,11 +5,11 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice carol moon"
  
  # Corresponding block diagram
  #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c.png"
  
  # Guest instances on which tcpdump is to be started
  #
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/description.txt b/testing/tests/ikev2/rw-eap-tls-radius/description.txt

index 842a88c427fce1b48db2c8598d809640b457fa77..d635ae33efb16f711a1659d3eb6ef9b43b5d0d86 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
@@ -1,5 +1,7 @@
  The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
  At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses a mutual <b>EAP-TLS</b> authentication based
-on X.509 certificates with the remote AAA RADIUS server <b>alice</b>.
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates. The gateway forwards all EAP messages to the
+AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat

index 36c054419345e0d999a3a48671b0b0b12f52e614..46d88143c48a1354b05aa4b4e39ae1cd608b3c12 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -2,8 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, C
  carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
  carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf

index b4196402dd8d278f37ad6c7b43557d14b127aa0d..3b1e09bced1c3d1d62bd8d1e47f8c6b0cb20df8e 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -1,8 +1,13 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication = no
    syslog {
      daemon {
        tls = 2
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf

index 783b4c844450d546008a1d491024cfddd517fa61..9945befdffc890ce333b69f9676acfd1b0cca5df 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat

index 4361417fd1df1686627e8a5dc2ced483a993c44b..4b05d1f78ce782b372671f4311b32d354ecc6f57 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat

index 012323f8f4180714c7f979e13f6a8dd39784fa93..9b3942d2e98cce7a2f5bb8776ba78eea2662a34c 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,8 +1,8 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf

index eb1e15dd251571acc1b1c2278f3d1edc0d0c3bc7..0d9e9f3d437913f8521bc332836a6a94db23a760 100644 (file)
--- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/description.txt
diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert/evaltest.dat

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert/posttest.dat

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/posttest.dat
diff --git a/testing/tests/swanctl/rw-cert-pss/pretest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-cert-pss/pretest.dat

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/test.conf

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf

rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/test.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/description.txt b/testing/tests/ikev2/rw-eap-ttls-only/description.txt

index 3d4c3ab873425a90ec892a64ab4b580d5554e812..19c00531e484e640566b39f2ac3317e5231e42d8 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/description.txt
+++ b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
@@ -3,7 +3,7 @@ The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a sep
  authentication) with the gateway being authenticated by a server certificate during the
  EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
  authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
-<p/> 
+<p/>
  With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
  <b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
  sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat

index a4b7d5812136bcaea5c1e0dae50e4472f5e3701c..46d6be42a7f168c67a063ed9bf0778751387377f 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf

index 0637de363ce94f08efaf8bd8c2fb523cd3e497e2..c2c9aa51647dd8d72937eb3753f1440b3750bbb1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,12 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
    multiple_authentication=no
    syslog {
      daemon {
@@ -9,3 +14,7 @@ charon {
      }
    }
  }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf

index 0637de363ce94f08efaf8bd8c2fb523cd3e497e2..c2c9aa51647dd8d72937eb3753f1440b3750bbb1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,12 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
    multiple_authentication=no
    syslog {
      daemon {
@@ -9,3 +14,7 @@ charon {
      }
    }
  }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf

index dd1524c64d8397d91039f4e21cbc39011523052b..8633346d1116a177b3de8d9e61da729347c7698b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,13 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
  
+  multiple_authentication=no
    syslog {
      daemon {
        tls = 2
@@ -12,6 +16,6 @@ charon {
    plugins {
      eap-ttls {
        phase2_method = md5
-   }
- }
+    }
+  }
  }
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat

index 1865a1c60eb1dcb5867d6c1d9bf6605f054c4757..e5c82ef20df134a0dea9e6c8852edda9744e76cd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat

index dccf85419d604ecb538c4b56bf44d15efeba1beb..69f83f67ae7271f270ea7fe164434fd2c12d3e8b 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -1,11 +1,13 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf

index f292988506cd9f32494f96885953dd6645e93f3c..1227b9d1c0621726c72b0079de3a23bc6d0581a1 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt

index 299106b32e032fb64bd47c3df39e8459c473c81f..479350c2fafd2133fc9780bae91def8f8baf2a24 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
@@ -1,8 +1,9 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
-wrong password and fails.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat

index 4be616469d8d46777c98aa17adc297fdfe2192fd..df4f0d550875aa8afccbe63dcf00a5ab66277bf5 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -10,12 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
  moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
  moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
  moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf

index 443332acc2ec2e4cc8a40c056834c3ff5580daf6..85d90ccc1c6d087cd97261ce957b5ae898e7b9de 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
  }
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf

index 443332acc2ec2e4cc8a40c056834c3ff5580daf6..85d90ccc1c6d087cd97261ce957b5ae898e7b9de 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
  }
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index e86d6aa..0000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf

index 96815514670b0462a0f829f6ec9ea6ed2b2c6652..bf614014d47c381776f385909ee0afcfa90ddf81 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
  
    plugins {
      eap-radius {
-      secret = gv6URkSs 
+      secret = gv6URkSs
        server = PH_IP_ALICE
      }
    }
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat

index a6619d02bfa58dc8b3d1f9c183b6fd7bf88d7be2..a3aff64c3df8d19b36ffc63ba4078c19ae5a92bd 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  alice::killall freeradius
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat

index c98e8ed53a8c2d049baa2909208819dbc0f14eb2..6363fcb5902892f0b86546dcd1dceb81e729f7ba 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,12 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
  alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw-eap
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf

index 20d5863094b871ee000fd4e7acadccad31ad31fa..0e5512b655038f627d97147d23dc21852a74b066 100644 (file)
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
  #
  RADIUSHOSTS="alice"
  
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/description.txt b/testing/tests/ikev2/rw-ed25519-certpol/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/description.txt

rename to testing/tests/ikev2/rw-ed25519-certpol/description.txt
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/evaltest.dat b/testing/tests/ikev2/rw-ed25519-certpol/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/evaltest.dat

rename to testing/tests/ikev2/rw-ed25519-certpol/evaltest.dat
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/posttest.dat b/testing/tests/ikev2/rw-ed25519-certpol/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/posttest.dat

rename to testing/tests/ikev2/rw-ed25519-certpol/posttest.dat
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/pretest.dat b/testing/tests/ikev2/rw-ed25519-certpol/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/pretest.dat

rename to testing/tests/ikev2/rw-ed25519-certpol/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf b/testing/tests/ikev2/rw-ed25519-certpol/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf

rename to testing/tests/ikev2/rw-ed25519-certpol/test.conf
diff --git a/testing/tests/ikev2/rw-hash-and-url/description.txt b/testing/tests/ikev2/rw-hash-and-url/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 5e748d7..6af7a39
--- a/testing/tests/ikev2/rw-hash-and-url/description.txt
+++ b/testing/tests/ikev2/rw-hash-and-url/description.txt
@@ -1,10 +1,6 @@
  The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
  to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Instead of the certificates themselves, "Hash and URL" certificate payloads
-are transferred and the certificates are fetched via http from web server <b>winnetou</b>.
-<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+Upon the successful establishment of the IPsec tunnels, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
-</p>
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 3c0aaf0..a7f04b5
--- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -2,17 +2,13 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
  dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
  moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
  moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index acf5789..0000000
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       certuribase=http://winnetou.strongswan.org/certs/
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9c9714a..90f42a1
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+
    hash_and_url = yes
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 1e14395..0000000
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       certuribase=http://winnetou.strongswan.org/certs/
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 3a52f0d..90f42a1
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+
    hash_and_url = yes
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index cd626a7..0000000
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       certuribase=http://winnetou.strongswan.org/certs/
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 3a52f0d..90f42a1
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+
    hash_and_url = yes
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..3d37a86
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-hash-and-url/test.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 4780041..d8ad8b7
--- a/testing/tests/ikev2/rw-initiator-only/description.txt
+++ b/testing/tests/ikev2/rw-initiator-only/description.txt
@@ -4,7 +4,7 @@ she ignores the repeated IKE requests sent by <b>dave</b>.
  <p/>
  After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
  connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
+<p/>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index c5dc4a0..811b8a8
--- a/testing/tests/ikev2/rw-initiator-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
@@ -1,8 +1,6 @@
  dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index dd2ceea..0000000
--- a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 54b68df..7bb3ff7
--- a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,11 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  
    initiator_only = yes
  }
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..f1c4ba6
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index b417977..0000000
--- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn peer
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_CAROL
-       rightid=carol@strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..402d773
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   peer {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.100
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+      children {
+         peer {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index acc2ef7..0000000
--- a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekey=no
-       reauth=no
-       keyexchange=ikev2
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 93f4345..ad4c18e
--- a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..4ba02ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..e5c82ef
--- a/testing/tests/ikev2/rw-initiator-only/posttest.dat
+++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 290f57e..71675c4
--- a/testing/tests/ikev2/rw-initiator-only/pretest.dat
+++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat
@@ -1,11 +1,11 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  dave::expect-connection peer
-dave::ipsec up peer
+dave::swanctl --initiate --child peer 2> /dev/null
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-initiator-only/test.conf
+++ b/testing/tests/ikev2/rw-initiator-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-newhope-bliss/description.txt b/testing/tests/ikev2/rw-newhope-bliss/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index eb76784..0a7f248
--- a/testing/tests/ikev2/rw-newhope-bliss/description.txt
+++ b/testing/tests/ikev2/rw-newhope-bliss/description.txt
@@ -4,9 +4,8 @@ with a cryptographical strength of 128 bits. Authentication is based on the BLIS
  algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
  <b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
  <p>
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
+The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
  increasing order. 
  <p>
  <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
diff --git a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index a2df0a3..be3b867
--- a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat
+++ b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat
@@ -1,26 +1,10 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 6f561ab..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha256-newhope128!
-       esp=aes256-sha256!
-       authby=pubkey
-       fragmentation=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftsourceip=%config
-       leftcert=carolCert.der
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index c222564..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1d9f6e2..16dcf16
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,12 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index caf99dd..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha256-newhope128!
-       esp=aes256-sha256!
-       authby=pubkey
-       fragmentation=yes
-
-conn home
-       left=PH_IP_DAVE
-       leftsourceip=%config
-       leftcert=daveCert.der
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index fe26432..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1d9f6e2..4757050
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,12 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 0ec0ac8..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes256-sha256-newhope128!
-       esp=aes256-sha256!
-       authby=pubkey
-       fragmentation=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.der
-       leftauth=bliss-sha512
-       leftid=moon.strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsourceip=10.3.0.0/28
-       auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index b4a9ee6..0000000
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 1d9f6e2..16dcf16
--- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,12 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 9ba8c5f..eb21008
--- a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat
+++ b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat
@@ -1,9 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
-carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
-dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 058b3c3..819964b
--- a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat
+++ b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
+carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
+dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-newhope-bliss/test.conf b/testing/tests/ikev2/rw-newhope-bliss/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index 164b07f..1227b9d
--- a/testing/tests/ikev2/rw-newhope-bliss/test.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/test.conf
@@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png"
  
  # Guest instances on which tcpdump is to be started
  #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
  
  # Guest instances on which IPsec is started
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt

index b81fdb7cf6c09f9f5d0aa43be55c0aecdb4d64e0..82ebd89ad025e06217957c63a5a048918932e6e4 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/description.txt
+++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt
@@ -4,12 +4,11 @@ The key exchange is based on NTRU encryption with a cryptographical strength of
  algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
  <b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
  <p>
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
+The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
  increasing order. 
  <p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+The updown script automatically inserts iptables-based firewall rules that let pass
  the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
  the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
  pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat

index ebb738cae4ec3b5e288fc9b695661e51ff636218..937425fabfc132b17e545c2d9661fd8d96b559a3 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -1,21 +1,13 @@
  carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
  dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
  moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
  moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 647a47f..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-ntru128!
-       esp=aes128-sha256!
-       authby=pubkey
-       fragmentation=yes
-
-conn home
-       left=PH_IP_CAROL
-       leftsourceip=%config
-       leftcert=carolCert.der
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index c222564..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf

index 47f9aa05fad01e47714240c0e3d12ef57afe4329..0a86ed8130db47bbf38847756e709420eb645303 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,8 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index e778604..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes192-sha384-ntru192!
-       esp=aes192-sha384!
-       authby=pubkey
-       fragmentation=yes
-
-conn home
-       left=PH_IP_DAVE
-       leftsourceip=%config
-       leftcert=daveCert.der
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index fe26432..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf

index 47f9aa05fad01e47714240c0e3d12ef57afe4329..0a86ed8130db47bbf38847756e709420eb645303 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,8 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index e5c2bf8..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
-       esp=aes128-sha256,aes192-sha384!
-       authby=pubkey
-       fragmentation=yes
-
-conn rw
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.der
-       leftauth=bliss-sha512
-       leftid=moon.strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightsourceip=10.3.0.0/28
-       auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index b4a9ee6..0000000
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf

index 47f9aa05fad01e47714240c0e3d12ef57afe4329..0a86ed8130db47bbf38847756e709420eb645303 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
    send_vendor_id = yes
    fragment_size = 1500
  }
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat

index 9ba8c5f554a05f93730bd0ce0e8c29ad05b93821..b11720842632b4183ec8b4b66c904814210e0052 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
+++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
@@ -1,9 +1,9 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
-carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
-dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+moon::cd /etc/swanctl;  rm bliss/* x509/moonCert.der  x509ca/strongswan_blissCert.der
+carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der
+dave::cd /etc/swanctl;  rm bliss/* x509/daveCert.der  x509ca/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat

index 058b3c33df2e087a5630e1176a4cf11bf0fe2c23..819964b7dfbc8845f2da25e2bc2dc1024b7f9add 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
+carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
+dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf

index 164b07ff9761f484661799c906b1a3792c30b9a5..a542d037ed56442e8f40156a1baa17c18f2b041e 100644 (file)
--- a/testing/tests/ikev2/rw-ntru-bliss/test.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 3e6d33a..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 35233ed..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
-  send_vendor_id = yes
-}
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index 3c355de..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 35233ed..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
-  send_vendor_id = yes
-}
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index a9e89c0..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
-
-moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 35233ed..0000000
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
-  send_vendor_id = yes
-}
diff --git a/testing/tests/ikev2/rw-pkcs8/description.txt b/testing/tests/ikev2/rw-pkcs8/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 84dd414..121f5df
--- a/testing/tests/ikev2/rw-pkcs8/description.txt
+++ b/testing/tests/ikev2/rw-pkcs8/description.txt
@@ -4,7 +4,7 @@ and matching RSA private keys stored in the <b>PKCS#8</b> format. <b>moon</b>'s
  is unencrypted, <b>carol</b>'s key is encrypted with the default PKCS#5 v1.5
  DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 AES-128 algorithm.
  <p/>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+Upon the successful establishment of the IPsec tunnels, the updown script
  automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
  In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
  the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 849d59a..8a8a95f
--- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -1,14 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index e72f787..0000000
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 6a2aea8..0000000
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 680785b..7415f93
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des md5 sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..b0b603b
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   pkcs8-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 65c9819..0000000
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index ff6a247..0000000
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 6fab712..7415f93
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes des sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..c57c6ba
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   pkcs8-dave {
+      file = daveKey.pem
+      secret = "OJlNZBx+80dLh4wC6fw5LmBd"
+   }
+}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index 1ee7513..0000000
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index c58fdbc..7415f93
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf

similarity index 95%

rename from testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf

index de225022bb54bd31cbbf269872dbb0e72331a26a..b938f0df5289a7bc425ee9f0034031d89f87fcc1 100755 (executable)
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
@@ -2,7 +2,6 @@ connections {
  
     rw {
        local_addrs  = 192.168.0.1
-      pools = big_pool
  
        local {
           auth = pubkey
diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..0baa831
--- a/testing/tests/ikev2/rw-pkcs8/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
@@ -1,6 +1,9 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::rm /etc/swanctl/pkcs8/*
+dave::rm /etc/swanctl/pkcs8/*
+moon::rm /etc/swanctl/pkcs8/*
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..85426cb
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -1,11 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-pkcs8/test.conf
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 47f6968..237e2ce
--- a/testing/tests/ikev2/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt
@@ -1,6 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test both tunnel and firewall, both
+and <b>Fully Qualified Domain Names</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
  <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index a5aa06b..8a8a95f
--- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -1,16 +1,10 @@
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ee5bc7c..12ad60e
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index b4aaa6a..81c25e6
--- a/testing/tests/ikev2/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt
@@ -1,6 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
  to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test both tunnel and firewall, both
+and <b>IPv4</b> addresses.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
  <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 0c8c311..11a3f6b
--- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..dcef959
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index 9555143..0325fe9
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
  }
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 1865a1c..eb21008
--- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index ee5bc7c..12ad60e
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -1,14 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-psk-ppk/description.txt b/testing/tests/ikev2/rw-psk-ppk/description.txt

similarity index 73%

rename from testing/tests/swanctl/rw-psk-ppk/description.txt

rename to testing/tests/ikev2/rw-psk-ppk/description.txt

index b9535b95c2c0fa455c505aed16f18f6785c26777..35ce6781d22d9c01b65ff371889611ef8dc3a6f8 100755 (executable)
--- a/testing/tests/swanctl/rw-psk-ppk/description.txt
+++ b/testing/tests/ikev2/rw-psk-ppk/description.txt
@@ -5,7 +5,8 @@ that's also mixed into the derived key material. The PPK_ID used by <b>dave</b>
  unknown to <b>moon</b> but since both peers don't enforce the use of a PPK they fall back
  to regular authentication by use of the authentication data provided in the NO_PPK_AUTH
  notify.
-Upon the successful establishment of the IPsec tunnels,
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
-let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
  <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-psk-ppk/evaltest.dat b/testing/tests/ikev2/rw-psk-ppk/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ppk/evaltest.dat

rename to testing/tests/ikev2/rw-psk-ppk/evaltest.dat
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/ikev2/rw-psk-ppk/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat

rename to testing/tests/ikev2/rw-psk-ppk/posttest.dat
diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-ppk/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-psk-fqdn/pretest.dat

rename to testing/tests/ikev2/rw-psk-ppk/pretest.dat
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-psk-ppk/test.conf

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-eap-ttls-only/test.conf

rename to testing/tests/ikev2/rw-psk-ppk/test.conf
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 65c9819..0000000
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
-       auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 47e31ca..0000000
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index f6c1a22..0000000
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/swanctl/rw-pubkey-anon/description.txt b/testing/tests/ikev2/rw-pubkey-anon/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/description.txt

rename to testing/tests/ikev2/rw-pubkey-anon/description.txt
diff --git a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat b/testing/tests/ikev2/rw-pubkey-anon/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/evaltest.dat

rename to testing/tests/ikev2/rw-pubkey-anon/evaltest.dat
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-pubkey-anon/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-dnssec/posttest.dat

rename to testing/tests/ikev2/rw-pubkey-anon/posttest.dat
diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-pubkey-anon/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

similarity index 100%

rename from testing/tests/swanctl/rw-dnssec/pretest.dat

rename to testing/tests/ikev2/rw-pubkey-anon/pretest.dat
diff --git a/testing/tests/swanctl/rw-ed25519-certpol/test.conf b/testing/tests/ikev2/rw-pubkey-anon/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-ed25519-certpol/test.conf

rename to testing/tests/ikev2/rw-pubkey-anon/test.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/description.txt b/testing/tests/ikev2/rw-pubkey-keyid/description.txt

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/description.txt

rename to testing/tests/ikev2/rw-pubkey-keyid/description.txt
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat b/testing/tests/ikev2/rw-pubkey-keyid/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat

rename to testing/tests/ikev2/rw-pubkey-keyid/evaltest.dat
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf
diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-anon/posttest.dat

rename to testing/tests/ikev2/rw-pubkey-keyid/posttest.dat
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/ikev2/rw-pubkey-keyid/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/rw-pubkey-keyid/pretest.dat

rename to testing/tests/ikev2/rw-pubkey-keyid/pretest.dat
diff --git a/testing/tests/swanctl/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-pubkey-keyid/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-hash-and-url/test.conf

rename to testing/tests/ikev2/rw-pubkey-keyid/test.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index e86d6aa..0000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index e86d6aa..0000000
--- a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 8c6c28b..0000000
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftsourceip=%config
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 72b8a59..0000000
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftsourceip=%config
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       auto=add
diff --git a/testing/tests/swanctl/manual-prio/description.txt b/testing/tests/ikev2/shunt-manual-prio/description.txt

similarity index 100%

rename from testing/tests/swanctl/manual-prio/description.txt

rename to testing/tests/ikev2/shunt-manual-prio/description.txt
diff --git a/testing/tests/swanctl/manual-prio/evaltest.dat b/testing/tests/ikev2/shunt-manual-prio/evaltest.dat

similarity index 100%

rename from testing/tests/swanctl/manual-prio/evaltest.dat

rename to testing/tests/ikev2/shunt-manual-prio/evaltest.dat
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf

similarity index 100%

rename from testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/swanctl/swanctl.conf
diff --git a/testing/tests/swanctl/manual-prio/posttest.dat b/testing/tests/ikev2/shunt-manual-prio/posttest.dat

similarity index 100%

rename from testing/tests/swanctl/manual-prio/posttest.dat

rename to testing/tests/ikev2/shunt-manual-prio/posttest.dat
diff --git a/testing/tests/swanctl/manual-prio/pretest.dat b/testing/tests/ikev2/shunt-manual-prio/pretest.dat

similarity index 100%

rename from testing/tests/swanctl/manual-prio/pretest.dat

rename to testing/tests/ikev2/shunt-manual-prio/pretest.dat
diff --git a/testing/tests/swanctl/rw-psk-ikev1/test.conf b/testing/tests/ikev2/shunt-manual-prio/test.conf

similarity index 100%

rename from testing/tests/swanctl/rw-psk-ikev1/test.conf

rename to testing/tests/ikev2/shunt-manual-prio/test.conf
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt

index 7d9ebfd90aa175c1d5f31eb89db0fcd78dcb4578..b95669dadf5a7fc14b0a6e6ea794ba2bcb646425 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt
@@ -1,7 +1,7 @@
  The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
  tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway.  In order to prevent
  local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
-shunt policy with <b>type=pass</b>.
+shunt policy with <b>mode = pass</b>.
  <p/>
  In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
  ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat

index 67014c5eebf5b9d07214a07bb96498689bebc538..dd0d8ec08063ee92a14b764bacbd338804ef4059 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
@@ -1,12 +1,14 @@
-alice::ipsec status 2> /dev/null::local-net.*PASS::YES
-venus::ipsec status 2> /dev/null::local-net.*PASS::YES
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
+venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
  alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
  venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
  venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
+sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
  moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
  moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
  alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
-alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
-\ No newline at end of file
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf

deleted file mode 100644 (file)

index 4c6e51d..0000000
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn nat-t
-       left=%any
-       leftcert=aliceCert.pem
-       leftid=alice@strongswan.org
-       leftsourceip=%config
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=0.0.0.0/0
-       auto=add
-
-conn local-net
-       leftsubnet=10.1.0.0/16
-       rightsubnet=10.1.0.0/16
-       authby=never
-       type=pass
-       auto=route
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..bf799a29b67744200f289fed792d0ff5ad125c97 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf

deleted file mode 100644 (file)

index 90a8ae2..0000000
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn nat-t
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=@sun.strongswan.org
-       leftfirewall=yes
-       leftsubnet=0.0.0.0/0
-       right=%any
-       rightsourceip=10.3.0.0/28
-       auto=add
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..91e32f7ba4d686cc8469d9a039819ea922a83efa 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf

deleted file mode 100644 (file)

index ade6415..0000000
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn nat-t
-       left=%any
-       leftcert=venusCert.pem
-       leftid=@venus.strongswan.org
-       leftsourceip=%config
-       right=PH_IP_SUN
-       rightid=@sun.strongswan.org
-       rightsubnet=0.0.0.0/0
-       auto=add
-
-conn local-net
-       leftsubnet=10.1.0.0/16
-       rightsubnet=10.1.0.0/16
-       authby=never
-       type=pass
-       auto=route
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf

index 9d07c88e40d04298e0018e9385b871f491ebda24..bf799a29b67744200f289fed792d0ff5ad125c97 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  
    keep_alive = 5
  }
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf

similarity index 100%

rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf

rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat

index 1ff2c06444c23bc84a389c8206698c2183349381..a2ee681804a87a1c7220a74f194a42f50f4d5e36 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat
@@ -1,5 +1,5 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+sun::systemctl stop strongswan
  sun::iptables-restore < /etc/iptables.flush
  moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat

index b96aa0ce7880c431b7154386adc5608c22563dca..928a954a87aa24d0b50e466bde5a26909fc2e37d 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat
@@ -1,11 +1,11 @@
  sun::iptables-restore < /etc/iptables.rules
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
  moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
+sun::expect-connection nat-t
  alice::expect-connection nat-t
  venus::expect-connection nat-t
-sun::expect-connection nat-t
-alice::ipsec up nat-t
-venus::ipsec up nat-t
-\ No newline at end of file
+alice::swanctl --initiate --child nat-t 2> /dev/null
+venus::swanctl --initiate --child nat-t 2> /dev/null
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf

index bd82f03ad6147d2c7c3bf179ba09c07526c5debd..34b0ba165569f481502bc35cf33235c0204c68c2 100644 (file)
--- a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/strong-keys-certs/description.txt b/testing/tests/ikev2/strong-keys-certs/description.txt

old mode 100644 (file)

new mode 100755 (executable)

index 0847159..472bc0d
--- a/testing/tests/ikev2/strong-keys-certs/description.txt
+++ b/testing/tests/ikev2/strong-keys-certs/description.txt
@@ -1,7 +1,11 @@
-This scenario is derived from <a href="../rw-cert"><b>ikev2/rw-cert</b></a>.
  The gateway <b>moon</b> uses a 3072 bit RSA private key protected by <b>AES-128</b>
  encryption whereas the roadwarriors <b>carol</b> and <b>dave</b> have an
  <b>AES-192</b> and <b>AES-256</b> envelope, respectively.
  The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
  its signature whereas the certificates of the roadwarriors <b>carol</b>
  and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 849d59a..8a8a95f
--- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -1,14 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 732966f..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftcert=carolCert-sha384.pem
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 4c9a601..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey-aes192.pem "ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..8f8fbdf
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..558eaca
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert-sha384.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey-aes192.pem
+      secret = "ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
+   }
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf

deleted file mode 100644 (file)

index 13636bc..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftcert=daveCert-sha512.pem
-       leftid=dave@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets

deleted file mode 100644 (file)

index b4b1c62..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey-aes256.pem "MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..aeb1b75
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..54de49e
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert-sha512.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   rsa-dave {
+      file = daveKey-aes256.pem
+      secret = "MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
+   }
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index f365554..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw
-       left=PH_IP_MOON
-       leftcert=moonCert-sha224.pem
-       leftid=@moon.strongswan.org
-       leftsubnet=10.1.0.0/16
-       leftfirewall=yes
-       right=%any
-       auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets

deleted file mode 100644 (file)

index 9d298e1..0000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey-aes128.pem "gOQHdrSWeFuiZtYPetWuyzHW"
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf

old mode 100644 (file)

new mode 100755 (executable)

index af5fa19..8f8fbdf
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
  }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..31c6161
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert-sha224.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   rsa-moon {
+      file = moonKey-aes128.pem
+      secret = "gOQHdrSWeFuiZtYPetWuyzHW"
+   }
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat

old mode 100644 (file)

new mode 100755 (executable)

index 3fd6a69..68c8bce
--- a/testing/tests/ikev2/strong-keys-certs/posttest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -1,13 +1,9 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::cd /etc/swanctl; rm rsa/* x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
  moon::iptables-restore < /etc/iptables.flush
  carol::iptables-restore < /etc/iptables.flush
  dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/private/*
-dave::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/certs/*
-
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat

old mode 100644 (file)

new mode 100755 (executable)

index e87a8ee..a7f48db
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -1,11 +1,14 @@
  moon::iptables-restore < /etc/iptables.rules
  carol::iptables-restore < /etc/iptables.rules
  dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem
+carol::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem
+dave::cd /etc/swanctl; rm rsa/daveKey.pem x509/daveCert.pem
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
  moon::expect-connection rw
  carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
  dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf

old mode 100644 (file)

new mode 100755 (executable)

index f292988..1227b9d
--- a/testing/tests/ikev2/strong-keys-certs/test.conf
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat

index f1b252c4bc9432d736ac2e77f330978e11b4ea07..63ccd5dcc745ccdd551c5ff4850a266c8b74016e 100644 (file)
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,11 +1,10 @@
  moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO
  moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.20/32::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
  moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
  moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf

deleted file mode 100644 (file)

index 9ec202e..0000000
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       uniqueids=no
-       strictcrlpolicy=yes
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-
-conn alice 
-       leftcert=carolCert.pem
-       rightsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus
-       leftcert=carolCert-002.pem
-       rightsubnet=PH_IP_VENUS/32
-       auto=add
-
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets

deleted file mode 100644 (file)

index 2181f94..0000000
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-: RSA carolKey-002.pem 
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf

index af5fa19ef1618ea92149e1f9886421935c4c53aa..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..eccc27b
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,46 @@
+connections {
+
+   alice {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+         }
+      }
+      version = 2
+   }
+
+   venus {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert-002.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         venus {
+            remote_ts = 10.1.0.20/32
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf

deleted file mode 100644 (file)

index d8f1443..0000000
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       uniqueids=no
-       strictcrlpolicy=yes
-
-ca strongswan
-        cacert=strongswanCert.pem
-        crluri=http://crl.strongswan.org/strongswan.crl
-        auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftfirewall=yes
-       right=%any
-       rightid=carol@strongswan.org
-       keyexchange=ikev2
-
-conn alice 
-       leftsubnet=PH_IP_ALICE/32
-       auto=add
-
-conn venus 
-       leftsubnet=PH_IP_VENUS/32
-       auto=add
-
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf

index 93f4345989bc7279b58f86fe0e24dbb744c7d911..b05ed2b339567012f6f266a2936bc7970bede4ef 100644 (file)
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
  # /etc/strongswan.conf - strongSwan configuration file
  
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
  }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf

new file mode 100755 (executable)

index 0000000..6b3d3d7
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+         }
+         venus {
+            local_ts  = 10.1.0.20/32
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat

index eae8c27d4b77742881c621d2eb6adb08459cb107..0877f6b8c490e2031bddd805e9d58ee14f0ee1b3 100644 (file)
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,6 +1,3 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm rsa/* x509/*
+\ No newline at end of file
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat

index ead4b6bb39f5102378b7c6fdf884eef1f61676fc..34393c7243a7c5ce958a8e65cc790a99bc7e1cf8 100644 (file)
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,10 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
  carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
  carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
+carol::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf

index 3f6afa02ead3dd4a814cf83741f1d39c299357cd..65dc3537456c43e5c37e69f144cd7bcaa629a8f2 100644 (file)
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -5,11 +5,11 @@
  
  # All guest instances that are required for this test
  #
-VIRTHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
  
  # Corresponding block diagram
  #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="m-c-w.png"
  
  # Guest instances on which tcpdump is to be started
  #
@@ -19,3 +19,6 @@ TCPDUMPHOSTS="moon"
  # Used for IPsec logging purposes
  #
  IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index af5fa19..0000000
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 7a64dce..0000000
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf

deleted file mode 100644 (file)

index 9bb88d7..0000000
--- a/testing/tests/ikev2/wildcards/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/config-payload/description.txt b/testing/tests/swanctl/config-payload/description.txt

deleted file mode 100755 (executable)

index 3e68a77..0000000
--- a/testing/tests/swanctl/config-payload/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
-<p/>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
-virtual IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat

deleted file mode 100755 (executable)

index 1cc8d82..0000000
--- a/testing/tests/swanctl/config-payload/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
-moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
-alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat

deleted file mode 100755 (executable)

index 28f600c..0000000
--- a/testing/tests/swanctl/config-payload/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/swanctl/swanctl_base.conf
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-carol
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/crl-to-cache/description.txt b/testing/tests/swanctl/crl-to-cache/description.txt

deleted file mode 100644 (file)

index 0e6f1cb..0000000
--- a/testing/tests/swanctl/crl-to-cache/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-By setting <b>cache_crls = yes</b> in <b>/etc/strongswan.conf</b>, a copy of
-both the <b>base CRL</b> and the latest <b>delta CRL</b> fetched via http from
-the web server <b>winnetou</b> is saved locally in the directory
-<b>/etc/swanctl/x509crl</b> on both the roadwarrior <b>carol</b> and the
-gateway <b>moon</b> when the IPsec connection is set up.
-The <b>subjectKeyIdentifier</b> of the issuing CA plus the suffixes
-<b>.crl</b> and <b>_delta.crl</b> are used as unique filename for the
-cached <b>base CRL</b> and <b>delta CRL</b>, respectively.
diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat

deleted file mode 100644 (file)

index 91e3457..0000000
--- a/testing/tests/swanctl/crl-to-cache/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
-moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
-moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
-carol::cat /var/log/daemon.log::certificate was revoked::YES
-carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 48e34ab..0000000
--- a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
-
-  cache_crls = yes
-}
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 48e34ab..0000000
--- a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
-
-  cache_crls = yes
-}
diff --git a/testing/tests/swanctl/dhcp-dynamic/description.txt b/testing/tests/swanctl/dhcp-dynamic/description.txt

deleted file mode 100644 (file)

index bef5423..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips=0.0.0.0</b>
-parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS server
-information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned dynamically
-by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that <b>carol</b> and <b>dave</b> become full members
-of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to the <b>farp</b> plugin
-through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b> who wants to ping
-<b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat

deleted file mode 100644 (file)

index aa62bce..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
+++ /dev/null
@@ -1,22 +0,0 @@
-alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index 9932df3..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
-}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index 9932df3..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
-}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules

deleted file mode 100644 (file)

index 2d9a466..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,39 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow bootpc and bootps
--A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
--A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-# allow broadcasts from eth1
--A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# log dropped packets
--A INPUT  -j LOG --log-prefix " IN: "
--A OUTPUT -j LOG --log-prefix " OUT: "
-
-COMMIT
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index c00d3dc..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
-
-  plugins {
-    dhcp {
-      server = 10.1.255.255
-    }
-  }
-}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf

deleted file mode 100644 (file)

index 7a17850..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name          "strongswan.org";
-  option domain-name-servers   PH_IP_VENUS;
-  option netbios-name-servers  PH_IP_ALICE;
-  option routers               PH_IP_MOON1;
-  option broadcast-address     10.1.255.255;
-  next-server                  PH_IP_VENUS;
-
-  range 10.1.0.50 10.1.0.60;
-}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf

deleted file mode 100644 (file)

index ec8c945..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-interface=eth0
-dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-option=option:router,PH_IP_MOON1
-dhcp-option=option:dns-server,PH_IP_VENUS
-dhcp-option=option:netbios-ns,PH_IP_ALICE
-dhcp-option=option:domain-name,strongswan.org
-log-dhcp
diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat

deleted file mode 100644 (file)

index d258f1e..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-venus::cat /var/lib/dhcp/dhcpd.leases
-venus::service isc-dhcp-server stop 2> /dev/null
-venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
-alice::arp -d 10.1.0.50
-alice::arp -d 10.1.0.51
diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat

deleted file mode 100644 (file)

index d8c1191..0000000
--- a/testing/tests/swanctl/dhcp-dynamic/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-venus::cat /etc/dhcp/dhcpd.conf
-venus::service isc-dhcp-server start 2> /dev/null
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat

deleted file mode 100755 (executable)

index 29cd8bf..0000000
--- a/testing/tests/swanctl/host2host-cert/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat

deleted file mode 100755 (executable)

index 683269a..0000000
--- a/testing/tests/swanctl/host2host-cert/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike host-host 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat

deleted file mode 100755 (executable)

index 5cb1540..0000000
--- a/testing/tests/swanctl/host2host-cert/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection host-host
-sun::expect-connection host-hhost
-moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt

deleted file mode 100755 (executable)

index bc5a129..0000000
--- a/testing/tests/swanctl/host2host-transport/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
-is successfully set up. The authentication is based on X.509 certificates.
-<p/>
-Upon the successful establishment of the IPsec connection, the updown script automatically
-inserts iptables-based firewall rules that let pass the protected traffic.
-In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat

deleted file mode 100755 (executable)

index 8b103d0..0000000
--- a/testing/tests/swanctl/host2host-transport/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat

deleted file mode 100755 (executable)

index 683269a..0000000
--- a/testing/tests/swanctl/host2host-transport/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike host-host 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat

deleted file mode 100755 (executable)

index 5cb1540..0000000
--- a/testing/tests/swanctl/host2host-transport/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection host-host
-sun::expect-connection host-hhost
-moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/description.txt b/testing/tests/swanctl/ip-pool-db/description.txt

deleted file mode 100755 (executable)

index 2cac465..0000000
--- a/testing/tests/swanctl/ip-pool-db/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-The gateway <b>moon</b> assigns virtual IP addresses from a pool named <b>bigpool</b> that was
-created in an SQL database by the command
-<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
-<p>
-The updown script automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
-virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat

deleted file mode 100755 (executable)

index 5133e42..0000000
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ /dev/null
@@ -1,23 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
-moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
-alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index 886b31f..0000000
--- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
-}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index 886b31f..0000000
--- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
-}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index 31cf56d..0000000
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
-
-  plugins {
-    attr-sql {
-      database = sqlite:///etc/db.d/ipsec.db
-    }
-  }
-}
-
-pool {
-  load = sqlite
-  database = sqlite:///etc/db.d/ipsec.db
-}
diff --git a/testing/tests/swanctl/ip-pool/description.txt b/testing/tests/swanctl/ip-pool/description.txt

deleted file mode 100755 (executable)

index 17b1573..0000000
--- a/testing/tests/swanctl/ip-pool/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-The gateway <b>moon</b> assigns virtual IP addresses from a simple pool defined in the pools section
-of swanctl.conf in a monotonously increasing order.
-<p/>
-The updown script automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat

deleted file mode 100755 (executable)

index 36ab6c1..0000000
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
-moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
-moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
-alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat

deleted file mode 100755 (executable)

index 16dc236..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
+++ /dev/null
@@ -1,35 +0,0 @@
-moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
-moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
-moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
-carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
-dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
-alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
-venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
-alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
-alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
-dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
-dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
-alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
-venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
-dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
-venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
-
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf

deleted file mode 100755 (executable)

index f021e9c..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
-}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index f021e9c..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
-}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index f021e9c..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
-}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index fba531a..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
-
-  plugins {
-    attr-sql {
-      database = sqlite:///etc/db.d/ipsec.db
-    }
-  }
-}
-
-pool {
-  load = sqlite
-  database = sqlite:///etc/db.d/ipsec.db
-}
-\ No newline at end of file
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf

deleted file mode 100755 (executable)

index f021e9c..0000000
--- a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
-}
diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt

deleted file mode 100755 (executable)

index df9f54a..0000000
--- a/testing/tests/swanctl/ip-two-pools/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
-Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
-<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
-virtual IP addresses from  <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
-connecting to the <b>eth1</b> (10.1.0.1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
-both ping the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat

deleted file mode 100755 (executable)

index cb3b60f..0000000
--- a/testing/tests/swanctl/ip-two-pools/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
-moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
-moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
-moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
-alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat

deleted file mode 100755 (executable)

index f0a8f0f..0000000
--- a/testing/tests/swanctl/ip-two-pools/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-alice::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-alice::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat

deleted file mode 100755 (executable)

index fb6cb52..0000000
--- a/testing/tests/swanctl/ip-two-pools/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-alice::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-alice::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-alice::expect-connection home
-alice::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt

deleted file mode 100644 (file)

index 3641d09..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
-using multiple authentication exchanges (RFC 4739). In a first round 
-both <b>carol</b> and <b>moon</b> authenticate themselves by sending 
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<p>
-In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to
-authenticate herself against the remote RADIUS server <b>alice</b>. 
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
-The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
-The roadwarrior <b>dave</b> also uses multiple authentication and succeeds
-in the first round but sends wrong EAP-SIM triplets in the second round.
-As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b>
-message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.  
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat

deleted file mode 100644 (file)

index a520e5c..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
-moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
-dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users

deleted file mode 100644 (file)

index aa6f980..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
+++ /dev/null
@@ -1,2 +0,0 @@
-228060123456001        EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
-228060123456002        EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users

deleted file mode 100644 (file)

index aa6f980..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ /dev/null
@@ -1,2 +0,0 @@
-228060123456001        EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
-228060123456002        EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 54b79b3..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat

deleted file mode 100644 (file)

index b8b86c8..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-228060123456002,33000000000000000000000000000000,33112244,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112244,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 54b79b3..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat

deleted file mode 100644 (file)

index 125ee22..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::cat /etc/ipsec.d/triplets.dat
-dave::cat /etc/ipsec.d/triplets.dat
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf

deleted file mode 100644 (file)

index 6781150..0000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
-
diff --git a/testing/tests/swanctl/multi-level-ca/description.txt b/testing/tests/swanctl/multi-level-ca/description.txt

deleted file mode 100644 (file)

index 64825cb..0000000
--- a/testing/tests/swanctl/multi-level-ca/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat

deleted file mode 100644 (file)

index cd171e8..0000000
--- a/testing/tests/swanctl/nat-rw-psk/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
-venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
-sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
-sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
-alice::cat /var/log/daemon.log::sending keep alive::YES
-venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat

deleted file mode 100644 (file)

index ae6aaed..0000000
--- a/testing/tests/swanctl/nat-rw/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
-venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
-sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
-sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
-alice::cat /var/log/daemon.log::sending keep alive::YES
-venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf

deleted file mode 100644 (file)

index fd9bf8c..0000000
--- a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-
-  keep_alive = 5
-}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf

deleted file mode 100644 (file)

index fd9bf8c..0000000
--- a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-
-  keep_alive = 5
-}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-ed25519/description.txt b/testing/tests/swanctl/net2net-ed25519/description.txt

deleted file mode 100755 (executable)

index 07839e0..0000000
--- a/testing/tests/swanctl/net2net-ed25519/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
-Upon the successful establishment of the IPsec tunnel, the updown script automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-ed25519/evaltest.dat b/testing/tests/swanctl/net2net-ed25519/evaltest.dat

deleted file mode 100755 (executable)

index ebbb8ae..0000000
--- a/testing/tests/swanctl/net2net-ed25519/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
-sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index a35aea0..0000000
--- a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index a35aea0..0000000
--- a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat

deleted file mode 100755 (executable)

index 321fd34..0000000
--- a/testing/tests/swanctl/net2net-ed25519/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/swanctl/pkcs8/*
-sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat

deleted file mode 100755 (executable)

index 1ab4f5f..0000000
--- a/testing/tests/swanctl/net2net-ed25519/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::rm /etc/swanctl/rsa/moonKey.pem
-sun::rm /etc/swanctl/rsa/sunKey.pem
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-ed25519/test.conf b/testing/tests/swanctl/net2net-ed25519/test.conf

deleted file mode 100755 (executable)

index 07a3b24..0000000
--- a/testing/tests/swanctl/net2net-ed25519/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-multicast/evaltest.dat b/testing/tests/swanctl/net2net-multicast/evaltest.dat

deleted file mode 100644 (file)

index 6efa23a..0000000
--- a/testing/tests/swanctl/net2net-multicast/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
-alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES
-alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO
-bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES
-bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES
-bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO
diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat

deleted file mode 100644 (file)

index e28c8d4..0000000
--- a/testing/tests/swanctl/net2net-multicast/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat

deleted file mode 100644 (file)

index b323c5e..0000000
--- a/testing/tests/swanctl/net2net-multicast/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
-sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat

deleted file mode 100755 (executable)

index 4c56d52..0000000
--- a/testing/tests/swanctl/net2net-psk/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat

deleted file mode 100755 (executable)

index cc6a5bf..0000000
--- a/testing/tests/swanctl/net2net-psk/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat

deleted file mode 100755 (executable)

index e935b95..0000000
--- a/testing/tests/swanctl/net2net-psk/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-pubkey/description.txt b/testing/tests/swanctl/net2net-pubkey/description.txt

deleted file mode 100644 (file)

index 1cb90f1..0000000
--- a/testing/tests/swanctl/net2net-pubkey/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>raw RSA keys</b> loaded in PKCS#1 format.
-<p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-pubkey/evaltest.dat b/testing/tests/swanctl/net2net-pubkey/evaltest.dat

deleted file mode 100644 (file)

index b539804..0000000
--- a/testing/tests/swanctl/net2net-pubkey/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 29e75f7..0000000
--- a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
-}
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 29e75f7..0000000
--- a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
-}
diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat

deleted file mode 100644 (file)

index 468caf3..0000000
--- a/testing/tests/swanctl/net2net-pubkey/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/swanctl/pubkey/*
-sun::rm /etc/swanctl/pubkey/*
diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat

deleted file mode 100644 (file)

index fcd4335..0000000
--- a/testing/tests/swanctl/net2net-pubkey/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-sun::iptables-restore < /etc/iptables.rules
-moon::iptables-restore < /etc/iptables.rules
-sun::cd /etc/swanctl; rm x509/* x509ca/*
-moon::cd /etc/swanctl; rm x509/* x509ca/*
-sun::systemctl start strongswan
-moon::systemctl start strongswan
-sun::expect-connection gw-gw
-moon::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat

deleted file mode 100755 (executable)

index 5a95371..0000000
--- a/testing/tests/swanctl/net2net-route/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat

deleted file mode 100755 (executable)

index cc6a5bf..0000000
--- a/testing/tests/swanctl/net2net-route/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat

deleted file mode 100755 (executable)

index 5b2546f..0000000
--- a/testing/tests/swanctl/net2net-route/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-sun::iptables-restore < /etc/iptables.rules
-moon::iptables-restore < /etc/iptables.rules
-sun::systemctl start strongswan
-moon::systemctl start strongswan
-sun::expect-connection gw-gw
-moon::expect-connection gw-gw
-alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/swanctl/net2net-route/test.conf b/testing/tests/swanctl/net2net-route/test.conf

deleted file mode 100755 (executable)

index 07a3b24..0000000
--- a/testing/tests/swanctl/net2net-route/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat

deleted file mode 100755 (executable)

index 4c56d52..0000000
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat

deleted file mode 100755 (executable)

index cc6a5bf..0000000
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat

deleted file mode 100755 (executable)

index 2d3c8c1..0000000
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf

deleted file mode 100755 (executable)

index 07a3b24..0000000
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat

deleted file mode 100755 (executable)

index 4c56d52..0000000
--- a/testing/tests/swanctl/net2net-start/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf

deleted file mode 100755 (executable)

index ad4c18e..0000000
--- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat

deleted file mode 100755 (executable)

index cc6a5bf..0000000
--- a/testing/tests/swanctl/net2net-start/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-start/test.conf b/testing/tests/swanctl/net2net-start/test.conf

deleted file mode 100755 (executable)

index 07a3b24..0000000
--- a/testing/tests/swanctl/net2net-start/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/ocsp-multi-level/description.txt b/testing/tests/swanctl/ocsp-multi-level/description.txt

deleted file mode 100644 (file)

index cd0ecf1..0000000
--- a/testing/tests/swanctl/ocsp-multi-level/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b>, the certificate status from the strongSwan, Research and
-Sales OCSP servers must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/swanctl/ocsp-signer-cert/description.txt b/testing/tests/swanctl/ocsp-signer-cert/description.txt

deleted file mode 100644 (file)

index 22496f1..0000000
--- a/testing/tests/swanctl/ocsp-signer-cert/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
-is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
-issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
-extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
-in an authority information access extension pointing to <b>winnetou</b>. 
-Therefore no special authorities section information is needed in moon's swanctl.conf.
-<p>
-<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
-the status of both certificates is <b>good</b>.
diff --git a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat

deleted file mode 100644 (file)

index 4597216..0000000
--- a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
-moon:: cat /var/log/daemon.log::requesting ocsp status::YES
-moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon:: cat /var/log/daemon.log::ocsp response is valid::YES
-moon:: cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::requesting ocsp status::YES
-carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-carol::cat /var/log/daemon.log::ocsp response is valid::YES
-carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/protoport-dual/evaltest.dat b/testing/tests/swanctl/protoport-dual/evaltest.dat

deleted file mode 100644 (file)

index b5eec4b..0000000
--- a/testing/tests/swanctl/protoport-dual/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat

deleted file mode 100644 (file)

index f056317..0000000
--- a/testing/tests/swanctl/protoport-dual/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection icmp
-moon::expect-connection ssh
-carol::expect-connection icmp
-carol::expect-connection ssh
-carol::swanctl --initiate --child icmp 2> /dev/null
-carol::swanctl --initiate --child ssh 2> /dev/null
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 91e32f7..0000000
--- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-}
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 91e32f7..0000000
--- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-}
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index b415e07..0000000
--- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index b415e07..0000000
--- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index b415e07..0000000
--- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-dnssec/evaltest.dat b/testing/tests/swanctl/rw-dnssec/evaltest.dat

deleted file mode 100644 (file)

index 73a2ff4..0000000
--- a/testing/tests/swanctl/rw-dnssec/evaltest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
-moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules

deleted file mode 100644 (file)

index b2c4252..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow DNSSEC fetch from winnetou
--A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf

deleted file mode 100644 (file)

index 73d926d..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf
+++ /dev/null
@@ -1 +0,0 @@
-nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 6339790..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
-
-  plugins {
-    ipseckey {
-      enable = yes
-    }
-    unbound {
-      trust_anchors = /etc/swanctl/dnssec.keys
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys

deleted file mode 100644 (file)

index d059d84..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys
+++ /dev/null
@@ -1,10 +0,0 @@
-; This is a key-signing key, keyid 32329, for .
-.              IN      DNSKEY  257 3 8 (
-                               AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
-                               XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
-                               L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
-                               E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
-                               AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
-                               nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
-                               O9fOgGnjzAk=
-                               )
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules

deleted file mode 100644 (file)

index b2c4252..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow DNSSEC fetch from winnetou
--A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf

deleted file mode 100644 (file)

index 73d926d..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf
+++ /dev/null
@@ -1 +0,0 @@
-nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 6339790..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
-
-  plugins {
-    ipseckey {
-      enable = yes
-    }
-    unbound {
-      trust_anchors = /etc/swanctl/dnssec.keys
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys

deleted file mode 100644 (file)

index d059d84..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys
+++ /dev/null
@@ -1,10 +0,0 @@
-; This is a key-signing key, keyid 32329, for .
-.              IN      DNSKEY  257 3 8 (
-                               AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
-                               XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
-                               L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
-                               E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
-                               AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
-                               nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
-                               O9fOgGnjzAk=
-                               )
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules

deleted file mode 100644 (file)

index b2c4252..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow DNSSEC fetch from winnetou
--A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf

deleted file mode 100644 (file)

index 73d926d..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf
+++ /dev/null
@@ -1 +0,0 @@
-nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 617b812..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr
-
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
-
-  plugins {
-    ipseckey {
-      enable = yes
-    }
-    unbound {
-      trust_anchors = /etc/swanctl/dnssec.keys
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys

deleted file mode 100644 (file)

index d059d84..0000000
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys
+++ /dev/null
@@ -1,10 +0,0 @@
-; This is a key-signing key, keyid 32329, for .
-.              IN      DNSKEY  257 3 8 (
-                               AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
-                               XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
-                               L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
-                               E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
-                               AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
-                               nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
-                               O9fOgGnjzAk=
-                               )
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat

deleted file mode 100644 (file)

index a655543..0000000
--- a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 1582b2b..0000000
--- a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 1582b2b..0000000
--- a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat

deleted file mode 100644 (file)

index 0d4f741..0000000
--- a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 4d4fc35..0000000
--- a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 4d4fc35..0000000
--- a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat

deleted file mode 100644 (file)

index 68075b0..0000000
--- a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat

deleted file mode 100644 (file)

index b529b4b..0000000
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt

deleted file mode 100644 (file)

index 42db2e1..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
-<p/>
-Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
-<i>Extensible Authentication Protocol</i> to authenticate herself.
-<p/>
-The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
-In addition to her IKEv2 identity<b>carol@strongswan.org</b>, roadwarrior
-<b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat

deleted file mode 100644 (file)

index 3080ec1..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index fa363c3..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat

deleted file mode 100644 (file)

index 4b05d1f..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat

deleted file mode 100644 (file)

index 193f9e9..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index d2cc789..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat

deleted file mode 100644 (file)

index 68075b0..0000000
--- a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt

deleted file mode 100644 (file)

index f0f241d..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
-<p/>
-Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
-<i>Extensible Authentication Protocol</i> to authenticate herself.
-The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
-\ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat

deleted file mode 100644 (file)

index 09a78be..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index e57629f..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bf61401..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat

deleted file mode 100644 (file)

index 4b05d1f..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat

deleted file mode 100644 (file)

index 193f9e9..0000000
--- a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat

deleted file mode 100644 (file)

index c0026af..0000000
--- a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index e57629f..0000000
--- a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index e57629f..0000000
--- a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat

deleted file mode 100644 (file)

index 68075b0..0000000
--- a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat

deleted file mode 100644 (file)

index a1c2d4e..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity.*carol
-moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index d9210ae..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index d9210ae..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
-}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat

deleted file mode 100644 (file)

index 68075b0..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf

deleted file mode 100644 (file)

index 97b89cb..0000000
--- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 56df2de..0000000
--- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 56df2de..0000000
--- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 347e7f7..0000000
--- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-  plugins {
-    eap-peap {
-      phase2_method = md5
-      phase2_piggyback = yes
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat

deleted file mode 100644 (file)

index e5c82ef..0000000
--- a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat

deleted file mode 100644 (file)

index 69f83f6..0000000
--- a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index b3fdc5d..0000000
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index b3fdc5d..0000000
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index c7023a6..0000000
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-  plugins {
-    eap-peap {
-      phase2_method = mschapv2
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat

deleted file mode 100644 (file)

index e5c82ef..0000000
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat

deleted file mode 100644 (file)

index 69f83f6..0000000
--- a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt

deleted file mode 100644 (file)

index 0040682..0000000
--- a/testing/tests/swanctl/rw-eap-peap-radius/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
-<p/>
-Next <b>carol</b> and <b>dave</b> et up an <b>EAP-PEAP</b> tunnel each via
-gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
-AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client
-authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
-and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index cb7743f..0000000
--- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index cb7743f..0000000
--- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bf61401..0000000
--- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat

deleted file mode 100644 (file)

index 6363fcb..0000000
--- a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat

deleted file mode 100644 (file)

index 038a2c1..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
-carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat

deleted file mode 100644 (file)

index c167ba9..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 11ae80c..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index fa363c3..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat

deleted file mode 100644 (file)

index 4b05d1f..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat

deleted file mode 100644 (file)

index 1841126..0000000
--- a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-carol::cat /etc/ipsec.d/triplets.dat
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat

deleted file mode 100644 (file)

index 3d33597..0000000
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default

deleted file mode 100644 (file)

index 51b64a7..0000000
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
+++ /dev/null
@@ -1,72 +0,0 @@
-authorize {
-  preprocess
-  chap
-  mschap
-  files
-  suffix
-  update reply {
-    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
-    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
-    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
-    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
-    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
-    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
-    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
-    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
-    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
-  }
-  eap {
-    ok = return
-  }
-  unix
-  files
-  expiration
-  logintime
-  pap
-}
-
-authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bf61401..0000000
--- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat

deleted file mode 100644 (file)

index 476e4e1..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

deleted file mode 100644 (file)

index 7d80239..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim
-  sim {
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf

deleted file mode 100644 (file)

index 7d80239..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim
-  sim {
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bf61401..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat

deleted file mode 100644 (file)

index a3aff64..0000000
--- a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat

deleted file mode 100644 (file)

index 1e96789..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bcd8ef0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
-}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat

deleted file mode 100644 (file)

index 68075b0..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf

deleted file mode 100644 (file)

index 97b89cb..0000000
--- a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat

deleted file mode 100644 (file)

index c9f3462..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 0b9b399..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 69bff64..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat

deleted file mode 100644 (file)

index af9cda6..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat

deleted file mode 100644 (file)

index 1e8e27f..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf

deleted file mode 100644 (file)

index 97b89cb..0000000
--- a/testing/tests/swanctl/rw-eap-tls-only/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt

deleted file mode 100644 (file)

index d635ae3..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
-<p/>
-Next <b>carol</b> uses a mutual <b>EAP-TLS</b> authentication based
-on X.509 certificates. The gateway forwards all EAP messages to the
-AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat

deleted file mode 100644 (file)

index 46d8814..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

deleted file mode 100644 (file)

index e69de29..0000000
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf

deleted file mode 100644 (file)

index 23cba8d..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 3b1e09b..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
-
-  multiple_authentication = no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 9945bef..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat

deleted file mode 100644 (file)

index 4b05d1f..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat

deleted file mode 100644 (file)

index 9b3942d..0000000
--- a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat

deleted file mode 100755 (executable)

index 8a8a95f..0000000
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
-alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index c2c9aa5..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index c2c9aa5..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 8633346..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat

deleted file mode 100644 (file)

index e5c82ef..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat

deleted file mode 100644 (file)

index 69f83f6..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt

deleted file mode 100644 (file)

index 479350c..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
-<p/>
-Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via
-gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
-AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client
-authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
-and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

deleted file mode 100644 (file)

index 23cba8d..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

deleted file mode 100644 (file)

index 2bbe1d7..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
+++ /dev/null
@@ -1,59 +0,0 @@
-server default {
-
-listen {
-  type = auth
-  ipaddr = 10.1.0.10
-  port = 0
-}
-
-authorize {
-  preprocess
-  suffix
-  eap {
-    ok = return
-  }
-  files
-  expiration
-  logintime
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  exec
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-    eap
-    remove_reply_message_if_eap
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 85d90cc..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 85d90cc..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules

deleted file mode 100644 (file)

index 1eb7553..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index bf61401..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat

deleted file mode 100644 (file)

index a3aff64..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-alice::killall freeradius
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat

deleted file mode 100644 (file)

index 6363fcb..0000000
--- a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/swanctl; rm rsa/* x509/*
-dave::cd /etc/swanctl; rm rsa/* x509/*
-alice::freeradius
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat

deleted file mode 100755 (executable)

index a7f04b5..0000000
--- a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
-moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
-alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index 90f42a1..0000000
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-
-  hash_and_url = yes
-}
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index 90f42a1..0000000
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-
-  hash_and_url = yes
-}
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index 90f42a1..0000000
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
-
-  hash_and_url = yes
-}
diff --git a/testing/tests/swanctl/rw-hash-and-url/posttest.dat b/testing/tests/swanctl/rw-hash-and-url/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-hash-and-url/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-newhope-bliss/description.txt b/testing/tests/swanctl/rw-newhope-bliss/description.txt

deleted file mode 100755 (executable)

index 0a7f248..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm
-with a cryptographical strength of 128 bits. Authentication is based on the BLISS
-algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
-<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
-<p>
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
-increasing order. 
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat

deleted file mode 100755 (executable)

index be3b867..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
-alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index 16dcf16..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index 4757050..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index 16dcf16..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
-}
-
-charon-systemd {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat

deleted file mode 100755 (executable)

index 819964b..0000000
--- a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
-carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
-dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-ntru-bliss/description.txt b/testing/tests/swanctl/rw-ntru-bliss/description.txt

deleted file mode 100644 (file)

index 82ebd89..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
-192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
-algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
-<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
-<p>
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
-increasing order. 
-<p>
-The updown script automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat

deleted file mode 100644 (file)

index 937425f..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index 0a86ed8..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index 0a86ed8..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index 0a86ed8..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
-
-  send_vendor_id = yes
-  fragment_size = 1500
-}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat

deleted file mode 100644 (file)

index b117208..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
-moon::cd /etc/swanctl;  rm bliss/* x509/moonCert.der  x509ca/strongswan_blissCert.der
-carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der
-dave::cd /etc/swanctl;  rm bliss/* x509/daveCert.der  x509ca/strongswan_blissCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat

deleted file mode 100644 (file)

index 819964b..0000000
--- a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
-carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
-dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat

deleted file mode 100755 (executable)

index 8a8a95f..0000000
--- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
-alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index dcef959..0000000
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat

deleted file mode 100755 (executable)

index 11a3f6b..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
-alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf

deleted file mode 100755 (executable)

index dcef959..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index dcef959..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index 0325fe9..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat

deleted file mode 100755 (executable)

index 12ad60e..0000000
--- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf

deleted file mode 100755 (executable)

index dcef959..0000000
--- a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf

deleted file mode 100755 (executable)

index dcef959..0000000
--- a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = random openssl
-}
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/rw-psk-ppk/posttest.dat b/testing/tests/swanctl/rw-psk-ppk/posttest.dat

deleted file mode 100755 (executable)

index eb21008..0000000
--- a/testing/tests/swanctl/rw-psk-ppk/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ppk/pretest.dat b/testing/tests/swanctl/rw-psk-ppk/pretest.dat

deleted file mode 100755 (executable)

index 12ad60e..0000000
--- a/testing/tests/swanctl/rw-psk-ppk/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat

deleted file mode 100755 (executable)

index 94c1fc8..0000000
--- a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cd /etc/swanctl; rm x509/* x509ca/*
-carol::cd /etc/swanctl; rm x509/* x509ca/*
-dave::cd /etc/swanctl; rm x509/* x509ca/*
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-pubkey-anon/test.conf b/testing/tests/swanctl/rw-pubkey-anon/test.conf

deleted file mode 100755 (executable)

index 1227b9d..0000000
--- a/testing/tests/swanctl/rw-pubkey-anon/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat

deleted file mode 100755 (executable)

index 2ea5b86..0000000
--- a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::rm /etc/swanctl/pubkey/*
-carol::rm /etc/swanctl/pubkey/*
-dave::rm /etc/swanctl/pubkey/*
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/test.conf b/testing/tests/swanctl/rw-pubkey-keyid/test.conf

deleted file mode 100755 (executable)

index 1227b9d..0000000
--- a/testing/tests/swanctl/rw-pubkey-keyid/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt

deleted file mode 100644 (file)

index b95669d..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway.  In order to prevent
-local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
-shunt policy with <b>mode = pass</b>.
-<p/>
-In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat

deleted file mode 100644 (file)

index dd0d8ec..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
-venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
-venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
-sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
-sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
-alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf

deleted file mode 100644 (file)

index bf799a2..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-
-  keep_alive = 5
-}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf

deleted file mode 100644 (file)

index 91e32f7..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf

deleted file mode 100644 (file)

index bf799a2..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
-
-  keep_alive = 5
-}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat

deleted file mode 100644 (file)

index a2ee681..0000000
--- a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::systemctl stop strongswan
-venus::systemctl stop strongswan
-sun::systemctl stop strongswan
-sun::iptables-restore < /etc/iptables.flush
-moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/xauth-rsa/description.txt b/testing/tests/swanctl/xauth-rsa/description.txt

deleted file mode 100644 (file)

index 9e78e41..0000000
--- a/testing/tests/swanctl/xauth-rsa/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on RSA public key signatures (<b>pubkey</b>) using X.509 certificates
-in the first round followed by extended authentication (<b>xauth</b>) of <b>carol</b> and <b>dave</b>
-based on user names equal to the <b>IKEv1 identity</b> (<b>carol@strongswan.org</b> and
-<b>dave@strongswan.org</b>, respectively) and corresponding <b>XAuth</b> user passwords.
-<p>
-Upon the successful establishment of the IPsec tunnel, automatically inserted iptables-based
-firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/xauth-rsa/evaltest.dat b/testing/tests/swanctl/xauth-rsa/evaltest.dat

deleted file mode 100644 (file)

index 46d66a0..0000000
--- a/testing/tests/swanctl/xauth-rsa/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
-moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf

deleted file mode 100644 (file)

index fccc73f..0000000
--- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf

deleted file mode 100644 (file)

index fccc73f..0000000
--- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf

deleted file mode 100644 (file)

index fccc73f..0000000
--- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
-}
diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat

deleted file mode 100644 (file)

index eb21008..0000000
--- a/testing/tests/swanctl/xauth-rsa/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat

deleted file mode 100644 (file)

index 3d37a86..0000000
--- a/testing/tests/swanctl/xauth-rsa/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/xauth-rsa/test.conf b/testing/tests/swanctl/xauth-rsa/test.conf

deleted file mode 100644 (file)

index 1227b9d..0000000
--- a/testing/tests/swanctl/xauth-rsa/test.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 4 Apr 2021 08:45:46 +0000 (10:45 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Fri, 21 May 2021 07:42:50 +0000 (09:42 +0200)