+++ /dev/null
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
-<p/>
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
-respectively.
-<p/>
-Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
-(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
-respectively.
-<p/>
-A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha512-modp2048!
- esp=aes256gcm128-modp2048!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-modp1536!
- esp=aes128gcm128-modp1536!
-
-conn home
- left=PH_IP_DAVE
- leftfirewall=yes
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
- esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol dave winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
-use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
-cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048!
- esp=blowfish192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish128-sha256-modp1536!
- esp=blowfish128-sha256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
- esp=blowfish192-sha384,blowfish128-sha256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"