--- /dev/null
+Two transport connections to gateway <b>sun</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>sun</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>sun</b>.
--- /dev/null
+sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
+dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
+carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn host-host
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_SUN
+ rightid=sun.strongswan.org
+ ike=aes256-sha512-modp4096!
+ esp=aes256-sha512-modp4096!
+ type=transport
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn host-host
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ right=PH_IP_SUN
+ rightid=sun.strongswan.org
+ ike=aes256-sha512-modp4096!
+ esp=aes256-sha512-modp4096!
+ type=transport
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
--- /dev/null
+<tkmconfig>
+ <local_identity id="1">
+ <identity>sun.strongswan.org</identity>
+ <certificate>sunCert.pem</certificate>
+ </local_identity>
+ <policy id="1">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.2</ip>
+ </local>
+ <remote>
+ <identity>carol@strongswan.org</identity>
+ <ip>192.168.0.100</ip>
+ </remote>
+ <lifetime>
+ <soft>30</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+ <policy id="2">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.2</ip>
+ </local>
+ <remote>
+ <identity>dave@strongswan.org</identity>
+ <ip>192.168.0.200</ip>
+ </remote>
+ <lifetime>
+ <soft>30</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+</tkmconfig>
--- /dev/null
+sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::killall tkm_keymanager
+sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::ipsec stop
+dave::ipsec stop
--- /dev/null
+sun::rm /etc/ipsec.secrets
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/ipsec.conf
+sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+sun::expect-file /tmp/tkm.rpc.ike
+sun::DAEMON_NAME=charon-tkm ipsec start
+carol::ipsec start
+carol::expect-connection host-host
+dave::ipsec start
+dave::expect-connection host-host
+sun::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::DAEMON_NAME=charon-tkm expect-connection conn2
+carol::ipsec up host-host
+dave::ipsec up host-host
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave sun winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave sun"
projects / thirdparty / strongswan.git / commitdiff
