From: Andreas Steffen Date: Sun, 4 Apr 2021 08:45:46 +0000 (+0200) Subject: testing: Reorganizing IKEv1 and IKEv2 examples X-Git-Tag: 5.9.3dr2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c5a2974b95df028c44015a53f30c8f44d3c882a;p=thirdparty%2Fstrongswan.git testing: Reorganizing IKEv1 and IKEv2 examples For documentation purposes the new folders ikev1-algs, ikev2-algs, ikev1-multi-ca and ikev2-multi-ca have been created. Most of the test cases have now been converted to the vici interface. The remaining legacy stroke scenarios yet to be converted have been put into the ikev2-stroke-bye folder. For documentation purposes some legacy stroke scenarios will be kept in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders. --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 6336b8a0fd..8e096b0bbb 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -147,10 +147,10 @@ pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \ # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl TEST="${TEST_DIR}/ikev2/crl-ldap" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls -cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl -cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl +cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl/stale.crl +cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl/stale.crl # Generate host keys for h in ${HOSTS} @@ -187,21 +187,21 @@ cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR} # Convert moon private key into unencrypted PKCS#8 format TEST="${TEST_DIR}/ikev2/rw-pkcs8" HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem" +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY} # Convert carol private key into v1.5 DES encrypted PKCS#8 format HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \ -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY} # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" -TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \ -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY} @@ -209,8 +209,8 @@ openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \ # Public Key Extraction # ################################################################################ -# Extract the raw moon public key for the swanctl/net2net-pubkey scenario -TEST="${TEST_DIR}/swanctl/net2net-pubkey" +# Extract the raw moon public key for the ikev2/net2net-pubkey scenario +TEST="${TEST_DIR}/ikev2/net2net-pubkey" TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem" HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey @@ -219,27 +219,17 @@ pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey # Put a copy into the following ikev2 scenarios -for t in net2net-dnssec net2net-pubkey rw-dnssec +for t in net2net-dnssec rw-dnssec do TEST="${TEST_DIR}/ikev2/${t}" - mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs - cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs + mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey done -# Put a copy into the ikev2/net2net-pubkey scenario -TEST="${TEST_DIR}/ikev2/net2net-pubkey" -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs -cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs - -# Put a copy into the swanctl/rw-dnssec scenario -TEST="${TEST_DIR}/swanctl/rw-dnssec" -mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey - -# Put a copy into the following swanctl scenarios +# Put a copy into the following ikev2 scenarios for t in rw-pubkey-anon rw-pubkey-keyid do - TEST="${TEST_DIR}/swanctl/${t}" + TEST="${TEST_DIR}/ikev2/${t}" for h in moon carol dave do mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey @@ -247,8 +237,8 @@ do done done -# Extract the raw sun public key for the swanctl/net2net-pubkey scenario -TEST="${TEST_DIR}/swanctl/net2net-pubkey" +# Extract the raw sun public key for the ikev2/net2net-pubkey scenario +TEST="${TEST_DIR}/ikev2/net2net-pubkey" TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem" HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} @@ -256,49 +246,44 @@ cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey # Put a copy into the ikev2/net2net-dnssec scenario TEST="${TEST_DIR}/ikev2/net2net-dnssec" -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs -cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs - -# Put a copy into the ikev2/net2net-pubkey scenario -TEST="${TEST_DIR}/ikev2/net2net-pubkey" -cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs -cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey -# Put a copy into the swanctl/rw-pubkey-anon scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +# Put a copy into the ikev2/rw-pubkey-anon scenario +TEST="${TEST_DIR}/ikev2/rw-pubkey-anon" cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Extract the raw carol public key for the swanctl/rw-dnssec scenario -TEST="${TEST_DIR}/swanctl/rw-dnssec" +# Extract the raw carol public key for the ikev2/rw-dnssec scenario +TEST="${TEST_DIR}/ikev2/rw-dnssec" TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem" HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} -# Put a copy into the swanctl/rw-pubkey-anon scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +# Put a copy into the ikev2/rw-pubkey-anon scenario +TEST="${TEST_DIR}/ikev2/rw-pubkey-anon" cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Put a copy into the swanctl/rw-pubkey-keyid scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" +# Put a copy into the ikev2/rw-pubkey-keyid scenario +TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid" cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Extract the raw dave public key for the swanctl/rw-dnssec scenario -TEST="${TEST_DIR}/swanctl/rw-dnssec" +# Extract the raw dave public key for the ikev2/rw-dnssec scenario +TEST="${TEST_DIR}/ikev2/rw-dnssec" TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem" HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} -# Put a copy into the swanctl/rw-pubkey-anon scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +# Put a copy into the ikev2/rw-pubkey-anon scenario +TEST="${TEST_DIR}/ikev2/rw-pubkey-anon" cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Put a copy into the swanctl/rw-pubkey-keyid scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" +# Put a copy into the ikev2/rw-pubkey-keyid scenario +TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid" cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey @@ -341,12 +326,22 @@ issue_cert 05 alice alice@strongswan.org Sales issue_cert 06 venus venus.strongswan.org issue_cert 07 bob bob@strongswan.org Research +# Copy carol's credentials into the dave directory of the following scenarios +for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder +do + TEST="${TEST_DIR}/${t}" + mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa + mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 + cp ${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa + cp ${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +done + # Create PKCS#12 file for moon TEST="${TEST_DIR}/ikev2/net2net-pkcs12" HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" -MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private +MOON_PKCS12="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12/moonCert.p12" +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \ -certfile ${CA_CERT} -caname "strongSwan Root CA" \ -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null @@ -354,8 +349,8 @@ openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \ # Create PKCS#12 file for sun HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" -SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12" -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private +SUN_PKCS12="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12/sunCert.p12" +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \ -certfile ${CA_CERT} -caname "strongSwan Root CA" \ -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null @@ -393,8 +388,8 @@ do echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE} done -# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP -TEST="${TEST_DIR}/swanctl/crl-to-cache" +# Generate a carol certificate for the ikev2/crl-to-cache scenario with base CDP +TEST="${TEST_DIR}/ikev2/crl-to-cache" TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" CN="carol@strongswan.org" @@ -404,7 +399,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rs --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ --outform pem > ${TEST_CERT} -# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP +# Generate a moon certificate for the ikev2/crl-to-cache scenario with base CDP TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" CN="moon.strongswan.org" @@ -420,29 +415,19 @@ KEY_PWD="nH5ZQEWtku0RJEZ6" openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \ 2> /dev/null -# Put a copy into the ikev2/dynamic-initiator scenario -for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder -do - TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private - mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs - cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private - cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem -done - -# Put a copy into the swanctl/rw-cert scenario -TEST="${TEST_DIR}/swanctl/rw-cert" +# Put a copy into the ikev2/rw-cert scenario +TEST="${TEST_DIR}/ikev2/rw-cert" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa # Generate another carol certificate and revoke it TEST="${TEST_DIR}/ikev2/crl-revoked" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" SERIAL="08" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -455,18 +440,18 @@ cp ${CA_CRL} ${CA_LAST_CRL} # Put a copy into the ikev2/ocsp-revoked scenario TEST="${TEST_DIR}/ikev2/ocsp-revoked" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs -cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private -cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 # Generate another carol certificate with serialNumber=002 TEST="${TEST_DIR}/ikev2/two-certs" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-002.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-002.pem" SERIAL="09" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -479,10 +464,10 @@ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem ################################################################################ # Generate a Research CA certificate signed by the Root CA and revoke it -TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" +TEST="${TEST_DIR}/ikev2-multi-ca/revoked" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem" SERIAL="0A" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/ pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ @@ -502,33 +487,20 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Put a certificate copy into the following scenarios -for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \ - ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \ - ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri +for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \ + ikev2-multi-ca/pathlen ikev2-multi-ca/ocsp-signers \ + ikev2-multi-ca/ocsp-strict-ifuri do TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts - cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -done - -for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \ - ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp -do - TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts - cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts -done - -for t in multi-level-ca ocsp-multi-level -do - TEST="${TEST_DIR}/swanctl/${t}" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca done -for t in rw-hash-and-url-multi-level +for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \ + ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ + ikev2-multi-ca/rw-hash-and-url do - TEST="${TEST_DIR}/swanctl/${t}" + TEST="${TEST_DIR}/${t}" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca done @@ -537,9 +509,9 @@ done openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER} # Generate Research CA with the same private key as above but invalid CDP -TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +TEST="${TEST_DIR}/ikev2-multi-ca/skipped" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem" +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \ --crl "http://crl.strongswan.org/not-available.crl" \ --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ @@ -560,31 +532,18 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Put a certificate copy into the following scenarios -for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \ - ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \ - ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri +for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \ + ikev2-multi-ca/ocsp-signers ikev2-multi-ca/ocsp-strict-ifuri do TEST="${TEST_DIR}/${t}" - cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -done - -for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \ - ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp -do - TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts - cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts -done - -for t in multi-level-ca ocsp-multi-level -do - TEST="${TEST_DIR}/swanctl/${t}" cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca done -for t in rw-hash-and-url-multi-level +for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \ + ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ + ikev2-multi-ca/rw-hash-and-url do - TEST="${TEST_DIR}/swanctl/${t}" + TEST="${TEST_DIR}/${t}" mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca done @@ -619,7 +578,7 @@ pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \ --outform pem > ${LEVELS_L3_CERT} -for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca +for t in ikev2-multi-ca/crls-l3 tkm/multi-level-ca do TEST="${TEST_DIR}/${t}" for h in moon carol @@ -640,13 +599,13 @@ openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/ # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate TEST="${TEST_DIR}/ikev2/strong-keys-certs" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey-aes128.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert-sha224.pem" KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW" CN="moon.strongswan.org" SERIAL="0D" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -657,13 +616,13 @@ openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-aes192.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-sha384.pem" KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA" CN="carol@strongswan.org" SERIAL="0E" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -674,13 +633,13 @@ openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate -TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem" -TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem" +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey-aes256.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert-sha512.pem" KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v" CN="dave@strongswan.org" SERIAL="0F" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -692,12 +651,12 @@ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Generate another carol certificate with an OCSP URI TEST="${TEST_DIR}/ikev2/ocsp-signer-cert" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" SERIAL="10" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -705,20 +664,15 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT} cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem -# Put a copy into the ikev2/ocsp-timeouts-good scenario -TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs -cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private -cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs - -# Put a copy into the swanctl/ocsp-signer-cert scenario -for t in ocsp-signer-cert ocsp-disabled +# Put a copy into the following ikev2 scenarios +for t in ocsp-timeouts-good ocsp-disabled ocsp-no-signer-cert ocsp-root-cert \ + ocsp-untrusted-cert do - cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}" - mkdir -p rsa x509 - cp ${TEST_KEY} rsa - cp ${TEST_CERT} x509 + TEST="${TEST_DIR}/ikev2/${t}" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 done # Generate an OCSP Signing certificate for the strongSwan Root CA @@ -746,10 +700,10 @@ pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \ # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario TEST="${TEST_DIR}/ikev2/ocsp-local-cert" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts -cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts -cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp +cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp # Generate mars virtual server certificate TEST="${TEST_DIR}/ha/both-active" @@ -774,7 +728,7 @@ cp ${TEST_KEY} ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa cp ${TEST_CERT} ${TEST}/hosts/alice/${SWANCTL_DIR}/x509 # Put a copy into the ha/active-passive and swanctl/redirect-active scenarios -for t in "ha/active-passive" "swanctl/redirect-active" +for t in ha/active-passive ikev2/redirect-active do TEST="${TEST_DIR}/${t}" for h in alice moon @@ -788,12 +742,12 @@ done # Generate moon certificate with an unsupported critical X.509 extension TEST="${TEST_DIR}/ikev2/critical-extension" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" CN="moon.strongswan.org" SERIAL="13" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -811,12 +765,12 @@ cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 # Generate sun certificate with an unsupported critical X.509 extension TEST="${TEST_DIR}/ikev2/critical-extension" -TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem" -TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem" +TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" CN="sun.strongswan.org" SERIAL="14" -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -877,13 +831,13 @@ cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs # Generate Attribute Authority certificate TEST="${TEST_DIR}/ikev2/acert-cached" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert.pem" CN="strongSwan Attribute Authority" SERIAL="17" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \ @@ -892,59 +846,59 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Generate carol's attribute certificate for sales and finance -ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem" +ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/carol-sales-finance.pem" pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/01.pem --group sales --group finance \ --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} # Generate dave's expired attribute certificate for sales -ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem" +ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-sales-expired.pem" pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/02.pem --group sales \ --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} # Generate dave's attribute certificate for marketing -ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem" +ACERT_DM="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-marketing.pem" pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/02.pem --group marketing \ --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM} # Put a copy into the ikev2/acert-fallback scenario TEST="${TEST_DIR}/ikev2/acert-fallback" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts -cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private -cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac +cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa # Generate carol's expired attribute certificate for finance -ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts +ACERT=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-finance-expired.pem +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/01.pem --group finance \ --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} # Generate carol's valid attribute certificate for sales -ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem +ACERT_CS=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-sales.pem pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/01.pem --group sales \ --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS} # Put a copy into the ikev2/acert-inline scenario TEST="${TEST_DIR}/ikev2/acert-inline" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts -cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private -cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts -cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts -cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac +cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa +cp ${ACERT_CS} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac +cp ${ACERT_DM} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac # Generate a short-lived Attribute Authority certificate CN="strongSwan Legacy AA" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey-expired.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert-expired.pem" SERIAL="18" pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ @@ -954,8 +908,8 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Generate dave's attribute certificate for sales from expired AA -ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts +ACERT=${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac/dave-expired-aa.pem +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ --in ${CA_DIR}/certs/02.pem --group sales \ --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} @@ -976,13 +930,13 @@ sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt ################################################################################ # Generate a carol research certificate -TEST="${TEST_DIR}/ikev2/multi-level-ca" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +TEST="${TEST_DIR}/ikev2-multi-ca/crls" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -995,23 +949,14 @@ openssl rsa -in ${TEST_KEY} -outform der \ -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null # Put a copy in the following scenarios -for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \ - ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \ - ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \ - ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \ - ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \ - ikev1/multi-level-ca-cr-resp +for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ + ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \ + ikev2-multi-ca/loop ikev2-multi-ca/revoked \ + ikev2-multi-ca/skipped ikev2-multi-ca/rw-hash-and-url \ + ikev1-multi-ca/crls ikev1-multi-ca/certreq-init \ + ikev1-multi-ca/certreq-resp do TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private - mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs - cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private - cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs -done - -for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level -do - TEST="${TEST_DIR}/swanctl/${t}" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa @@ -1019,15 +964,15 @@ do done # Generate a carol research certificate without a CDP -TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private +TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ --outform pem > ${TEST_CERT} -cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa # Generate an OCSP Signing certificate for the Research CA TEST_KEY="${RESEARCH_DIR}/ocspKey.pem" @@ -1043,10 +988,10 @@ pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem # Generate a Sales CA certificate signed by the Research CA -TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem" +TEST="${TEST_DIR}/ikev2-multi-ca/loop" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/sales_by_researchCert.pem" SERIAL="03" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \ @@ -1066,17 +1011,17 @@ pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT} cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem -# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario -TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen" -cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +# Put a certificate copy in the ikev2-multi-ca/pathlen scenario +TEST="${TEST_DIR}/ikev2-multi-ca/pathlen" +cp ${DUCK_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca # Generate a carol certificate signed by the Duck Research CA -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1093,13 +1038,13 @@ sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt ################################################################################ # Generate a dave sales certificate -TEST="${TEST_DIR}/ikev2/multi-level-ca" -TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem" -TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" +TEST="${TEST_DIR}/ikev2-multi-ca/crls" +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" CN="dave@strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1112,21 +1057,12 @@ openssl rsa -in ${TEST_KEY} -outform der \ -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null # Put a copy in the following scenarios -for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \ - ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \ - ikev2/ocsp-multi-level ikev1/multi-level-ca \ - ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp +for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ + ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \ + ikev2-multi-ca/rw-hash-and-url ikev1-multi-ca/crls \ + ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp do TEST="${TEST_DIR}/${t}" - mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private - mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs - cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private - cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs -done - -for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level -do - TEST="${TEST_DIR}/swanctl/${t}" mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa @@ -1134,15 +1070,15 @@ do done # Generate a dave sales certificate with an inactive OCSP URI and no CDP -TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" -TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private +TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \ --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT} -cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa # Generate an OCSP Signing certificate for the Sales CA TEST_KEY="${SALES_DIR}/ocspKey.pem" @@ -1158,10 +1094,10 @@ pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem # Generate a Research CA certificate signed by the Sales CA -TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem" +TEST="${TEST_DIR}/ikev2-multi-ca/loop" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/research_by_salesCert.pem" SERIAL="03" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ @@ -1177,7 +1113,7 @@ sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt ################################################################################ # Generate a carol l3 certificate -TEST="${TEST_DIR}/swanctl/multi-level-ca-l3" +TEST="${TEST_DIR}/ikev2-multi-ca/crls-l3" TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" @@ -1326,10 +1262,10 @@ pki --self --type rsa --in ${RFC3779_KEY} \ # Put a copy in the ikev2/net2net-rfc3779 scenario TEST="${TEST_DIR}/ikev2/net2net-rfc3779" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts -cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca +cp ${RFC3779_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${RFC3779_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" @@ -1340,12 +1276,12 @@ cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca # Generate a moon RFC3779 certificate TEST="${TEST_DIR}/ikev2/net2net-rfc3779" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" CN="moon.strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1367,12 +1303,12 @@ done # Generate a sun RFC3779 certificate TEST="${TEST_DIR}/ikev2/net2net-rfc3779" -TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem" -TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem" +TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" CN="sun.strongswan.org" SERIAL="02" -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1440,8 +1376,8 @@ pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \ --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \ --outform pem > ${SHA3_RSA_CERT} -# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario -TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert" +# Put a copy in the ikev2/net2net-sha3-rsa-cert scenario +TEST="${TEST_DIR}/ikev2/net2net-sha3-rsa-cert" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca @@ -1490,8 +1426,8 @@ cp ${SUN_KEY} rsa cp ${SUN_CERT} x509 cp ${SHA3_RSA_CERT} x509ca -# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario -TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa" +# Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario +TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa @@ -1546,8 +1482,8 @@ pki --self --type ed25519 --in ${ED25519_KEY} \ --cert-policy "1.3.6.1.4.1.36906.1.1.2" \ --outform pem > ${ED25519_CERT} -# Put a copy in the swanctl/net2net-ed25519 scenario -TEST="${TEST_DIR}/swanctl/net2net-ed25519" +# Put a copy in the ikev2/net2net-ed25519 scenario +TEST="${TEST_DIR}/ikev2/net2net-ed25519" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca @@ -1596,23 +1532,8 @@ cp ${SUN_KEY} pkcs8 cp ${SUN_CERT} x509 cp ${ED25519_CERT} x509ca -# Put a copy in the ikev2/net2net-ed25519 scenario -TEST="${TEST_DIR}/ikev2/net2net-ed25519" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR} -cd ${TEST}/hosts/moon/${IPSEC_DIR} -mkdir -p cacerts certs private -cp ${MOON_KEY} private -cp ${MOON_CERT} certs -cp ${ED25519_CERT} cacerts -mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR} -cd ${TEST}/hosts/sun/${IPSEC_DIR} -mkdir -p cacerts certs private -cp ${SUN_KEY} private -cp ${SUN_CERT} certs -cp ${ED25519_CERT} cacerts - -# Put a copy in the swanctl/rw-ed25519-certpol scenario -TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol" +# Put a copy in the ikev2/rw-ed25519-certpol scenario +TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol" mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 @@ -1667,18 +1588,18 @@ pki --self --type rsa --in ${MONSTER_KEY} \ # Put a copy in the ikev2/after-2038-certs scenario TEST="${TEST_DIR}/ikev2/after-2038-certs" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts -cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts -cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${MONSTER_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${MONSTER_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca # Generate a moon Monster certificate -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" CN="moon.strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ --in ${TEST_KEY} --san ${CN} \ @@ -1688,12 +1609,12 @@ pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem # Generate a carol Monster certificate -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" SERIAL="02" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ --in ${TEST_KEY} --san ${CN} \ @@ -1717,13 +1638,6 @@ for t in rw-newhope-bliss rw-ntru-bliss do TEST="${TEST_DIR}/ikev2/${t}" for h in moon carol dave - do - mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts - cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts - done - - TEST="${TEST_DIR}/swanctl/${t}" - for h in moon carol dave do mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca @@ -1732,12 +1646,12 @@ done # Generate a carol BLISS certificate with 128 bit security strength TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" -TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der" -TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/carolKey.der" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.der" CN="carol@strongswan.org" SERIAL="01" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type bliss --size 1 > ${TEST_KEY} pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1747,29 +1661,19 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der # Put a copy in the ikev2/rw-ntru-bliss scenario TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs -cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private -cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs - -# Put a copy in the swanctl scenarios -for t in rw-newhope-bliss rw-ntru-bliss -do - TEST="${TEST_DIR}/swanctl/${t}" - mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss - mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 - cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss - cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 -done +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 # Generate a dave BLISS certificate with 160 bit security strength TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" -TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der" -TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der" +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/daveKey.der" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.der" CN="dave@strongswan.org" SERIAL="02" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 pki --gen --type bliss --size 3 > ${TEST_KEY} pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1779,29 +1683,19 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der # Put a copy in the ikev2/rw-ntru-bliss scenario TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs -cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/ -cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/ - -# Put a copy in the swanctl scenarios -for t in rw-newhope-bliss rw-ntru-bliss -do - TEST="${TEST_DIR}/swanctl/${t}" - mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss - mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 - cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/ - cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/ -done +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss +cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 # Generate a moon BLISS certificate with 192 bit security strength TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" -TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der" -TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der" +TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/moonKey.der" +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.der" CN="moon.strongswan.org" SERIAL="03" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 pki --gen --type bliss --size 4 > ${TEST_KEY} pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ @@ -1811,20 +1705,10 @@ cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der # Put a copy in the ikev2/rw-ntru-bliss scenario TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private -mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs -cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/ -cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/ - -# Put a copy in the swanctl scenarios -for t in rw-newhope-bliss rw-ntru-bliss -do - TEST="${TEST_DIR}/swanctl/${t}" - mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss - mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 - cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/ - cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/ -done +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss +cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 ################################################################################ # SQL Data # @@ -2007,7 +1891,7 @@ SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}` # for h in moon sun do - TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf" + TEST_DATA="${TEST_DIR}/ikev2-stroke/net2net-rsa/hosts/${h}/etc/ipsec.conf" sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \ -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \ ${TEST_DATA}.in > ${TEST_DATA} diff --git a/testing/tests/swanctl/frags-ipv4/description.txt b/testing/tests/ike/frags-ipv4/description.txt similarity index 100% rename from testing/tests/swanctl/frags-ipv4/description.txt rename to testing/tests/ike/frags-ipv4/description.txt diff --git a/testing/tests/swanctl/frags-ipv4/evaltest.dat b/testing/tests/ike/frags-ipv4/evaltest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv4/evaltest.dat rename to testing/tests/ike/frags-ipv4/evaltest.dat diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf rename to testing/tests/ike/frags-ipv4/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf rename to testing/tests/ike/frags-ipv4/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ike/frags-ipv4/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf rename to testing/tests/ike/frags-ipv4/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv4/posttest.dat b/testing/tests/ike/frags-ipv4/posttest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv4/posttest.dat rename to testing/tests/ike/frags-ipv4/posttest.dat diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/ike/frags-ipv4/pretest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv4/pretest.dat rename to testing/tests/ike/frags-ipv4/pretest.dat diff --git a/testing/tests/swanctl/config-payload/test.conf b/testing/tests/ike/frags-ipv4/test.conf similarity index 100% rename from testing/tests/swanctl/config-payload/test.conf rename to testing/tests/ike/frags-ipv4/test.conf diff --git a/testing/tests/swanctl/frags-ipv6/description.txt b/testing/tests/ike/frags-ipv6/description.txt similarity index 100% rename from testing/tests/swanctl/frags-ipv6/description.txt rename to testing/tests/ike/frags-ipv6/description.txt diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/ike/frags-ipv6/evaltest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv6/evaltest.dat rename to testing/tests/ike/frags-ipv6/evaltest.dat diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf rename to testing/tests/ike/frags-ipv6/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf rename to testing/tests/ike/frags-ipv6/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/ike/frags-ipv6/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf rename to testing/tests/ike/frags-ipv6/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ike/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ike/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/frags-ipv6/posttest.dat b/testing/tests/ike/frags-ipv6/posttest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv6/posttest.dat rename to testing/tests/ike/frags-ipv6/posttest.dat diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/ike/frags-ipv6/pretest.dat similarity index 100% rename from testing/tests/swanctl/frags-ipv6/pretest.dat rename to testing/tests/ike/frags-ipv6/pretest.dat diff --git a/testing/tests/swanctl/frags-ipv6/test.conf b/testing/tests/ike/frags-ipv6/test.conf similarity index 100% rename from testing/tests/swanctl/frags-ipv6/test.conf rename to testing/tests/ike/frags-ipv6/test.conf diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev1-algs/alg-3des-md5/description.txt similarity index 67% rename from testing/tests/ikev2/esp-alg-null/description.txt rename to testing/tests/ikev1-algs/alg-3des-md5/description.txt index 7fe79b6ea8..5f6a8660fb 100644 --- a/testing/tests/ikev2/esp-alg-null/description.txt +++ b/testing/tests/ikev1-algs/alg-3des-md5/description.txt @@ -1,3 +1,4 @@ Roadwarrior carol proposes to gateway moon the ESP cipher suite -NULL / HMAC_SHA256_128 by defining esp=null-sha256 in ipsec.conf. +3des-md5-modp1024. The same cipher suite is used for IKE, too. +

A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat b/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat new file mode 100644 index 0000000000..8fb1e0bf78 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat @@ -0,0 +1,8 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::enc cbc(des3_ede)::YES +carol::ip xfrm state::enc cbc(des3_ede)::YES +moon:: ip xfrm state::auth-trunc hmac(md5)::YES +carol::ip xfrm state::auth-trunc hmac(md5)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..08e2a06d3e --- /dev/null +++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =3des-md5-modp1024 + } + } + version = 1 + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2ec51be23b --- /dev/null +++ b/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = 3des-md5-modp1024 + } + } + version = 1 + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/ikev1-algs/alg-3des-md5/posttest.dat similarity index 63% rename from testing/tests/swanctl/ocsp-signer-cert/posttest.dat rename to testing/tests/ikev1-algs/alg-3des-md5/posttest.dat index 20a78fa78f..ec5d4c48ad 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat +++ b/testing/tests/ikev1-algs/alg-3des-md5/posttest.dat @@ -1,3 +1,2 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/ikev1-algs/alg-3des-md5/pretest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/pretest.dat rename to testing/tests/ikev1-algs/alg-3des-md5/pretest.dat diff --git a/testing/tests/swanctl/protoport-dual/test.conf b/testing/tests/ikev1-algs/alg-3des-md5/test.conf similarity index 100% rename from testing/tests/swanctl/protoport-dual/test.conf rename to testing/tests/ikev1-algs/alg-3des-md5/test.conf diff --git a/testing/tests/ikev2/alg-blowfish/description.txt b/testing/tests/ikev1-algs/alg-blowfish/description.txt similarity index 58% rename from testing/tests/ikev2/alg-blowfish/description.txt rename to testing/tests/ikev1-algs/alg-blowfish/description.txt index 24b50b909b..47f559ba7a 100644 --- a/testing/tests/ikev2/alg-blowfish/description.txt +++ b/testing/tests/ikev1-algs/alg-blowfish/description.txt @@ -1,6 +1,5 @@ -The roadwarriors carol and dave set up a connection each -to gateway moon using Blowfish for both IKE and ESP -encryption. Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +The roadwarriors carol and dave set up a connection each +to gateway moon using Blowfish for both IKE and ESP encryption. +

In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat b/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat new file mode 100644 index 0000000000..23e96ea94a --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/evaltest.dat @@ -0,0 +1,12 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 192::YES diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..20cb079964 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = blowfish128-sha256-modp1536 + } + } + version = 1 + proposals = blowfish128-sha256-modp1536 + } +} diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a52007a5db --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = blowfish192-sha384-modp2048 + } + } + version = 1 + proposals = blowfish256-sha512-modp2048 + } +} diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1d27ecaa3c --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = blowfish192-sha384-modp2048,blowfish128-sha256-modp1536 + } + } + version = 1 + proposals = blowfish256-sha512-modp2048,blowfish128-sha256-modp1536 + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev1-algs/alg-blowfish/posttest.dat similarity index 78% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat rename to testing/tests/ikev1-algs/alg-blowfish/posttest.dat index b517a1adf3..86f297255b 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/ikev1-algs/alg-blowfish/posttest.dat @@ -1,4 +1,3 @@ +moon::systemctl stop strongswan carol::systemctl stop strongswan dave::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius diff --git a/testing/tests/ikev1-algs/alg-blowfish/pretest.dat b/testing/tests/ikev1-algs/alg-blowfish/pretest.dat new file mode 100644 index 0000000000..6020ff4d23 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-blowfish/pretest.dat @@ -0,0 +1,8 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/swanctl/frags-ipv4/test.conf b/testing/tests/ikev1-algs/alg-blowfish/test.conf old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/frags-ipv4/test.conf rename to testing/tests/ikev1-algs/alg-blowfish/test.conf diff --git a/testing/tests/ikev1/alg-modp-subgroup/description.txt b/testing/tests/ikev1-algs/alg-modp-subgroup/description.txt similarity index 76% rename from testing/tests/ikev1/alg-modp-subgroup/description.txt rename to testing/tests/ikev1-algs/alg-modp-subgroup/description.txt index cb7d117201..ff497bebf6 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/description.txt +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/description.txt @@ -1,4 +1,4 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon using the MODP Diffie-Hellman Groups 22, 23, and 24 with Prime Order Subgroups.

@@ -7,8 +7,5 @@ with Prime Order Subgroups. Since moon does not support MODP_2048_224 the roadwarriors fall back to MODP_1024_160 and MODP_2048_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. - diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat new file mode 100644 index 0000000000..34df8348ae --- /dev/null +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf similarity index 70% rename from testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf index be00a11eb2..1a3653375f 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..57d4cc4e04 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128-sha1 + } + } + version = 1 + proposals = aes128-sha1-modp2048s224,aes128-sha1-modp1024s160 + } +} diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf similarity index 70% rename from testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf index be00a11eb2..1a3653375f 100644 --- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0d92eb51b9 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256 + } + } + version = 1 + proposals = aes128-sha256-modp2048s224,aes128-sha256-modp2048s256 + } +} diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf similarity index 70% rename from testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf index be00a11eb2..1a3653375f 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f6649f6b57 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-sha1 + } + } + version = 1 + proposals = aes128-sha256-modp2048s256,aes128-sha1-modp1024s160 + } +} diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat similarity index 50% rename from testing/tests/swanctl/crl-to-cache/posttest.dat rename to testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat index f97a66b33e..86f297255b 100644 --- a/testing/tests/swanctl/crl-to-cache/posttest.dat +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat @@ -1,4 +1,3 @@ -carol::systemctl stop strongswan moon::systemctl stop strongswan -moon::rm /etc/swanctl/x509crl/* -carol::rm /etc/swanctl/x509crl/* +carol::systemctl stop strongswan +dave::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat new file mode 100644 index 0000000000..6020ff4d23 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat @@ -0,0 +1,8 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/swanctl/ip-pool/test.conf b/testing/tests/ikev1-algs/alg-modp-subgroup/test.conf old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/ip-pool/test.conf rename to testing/tests/ikev1-algs/alg-modp-subgroup/test.conf diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1-algs/alg-sha256/description.txt similarity index 67% rename from testing/tests/ikev1/esp-alg-null/description.txt rename to testing/tests/ikev1-algs/alg-sha256/description.txt index 7fe79b6ea8..d50811d7d1 100644 --- a/testing/tests/ikev1/esp-alg-null/description.txt +++ b/testing/tests/ikev1-algs/alg-sha256/description.txt @@ -1,3 +1,4 @@ Roadwarrior carol proposes to gateway moon the ESP cipher suite -NULL / HMAC_SHA256_128 by defining esp=null-sha256 in ipsec.conf. +aes128-sha256-x25519. The same cipher suite is used for IKE, too. +

A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/alg-sha256/evaltest.dat b/testing/tests/ikev1-algs/alg-sha256/evaltest.dat new file mode 100644 index 0000000000..4074cecb9d --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha256/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf similarity index 91% rename from testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf index d9c31430be..d42a9804c8 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon-systemd { +charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..688e1b02d2 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7a00fd5494 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/alg-sha256/posttest.dat b/testing/tests/ikev1-algs/alg-sha256/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha256/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/ikev1-algs/alg-sha256/pretest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-signer-cert/pretest.dat rename to testing/tests/ikev1-algs/alg-sha256/pretest.dat diff --git a/testing/tests/swanctl/protoport-range/test.conf b/testing/tests/ikev1-algs/alg-sha256/test.conf similarity index 100% rename from testing/tests/swanctl/protoport-range/test.conf rename to testing/tests/ikev1-algs/alg-sha256/test.conf diff --git a/testing/tests/ikev2/esp-alg-md5-128/description.txt b/testing/tests/ikev1-algs/alg-sha384/description.txt similarity index 66% rename from testing/tests/ikev2/esp-alg-md5-128/description.txt rename to testing/tests/ikev1-algs/alg-sha384/description.txt index 7a14be2ae9..6e844c66f2 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/description.txt +++ b/testing/tests/ikev1-algs/alg-sha384/description.txt @@ -1,3 +1,4 @@ Roadwarrior carol proposes to gateway moon the ESP cipher suite -3DES_CBC / HMAC_MD5_128 by defining esp=3des-md5_128! in ipsec.conf. +aes192-sha384-x25519. The same cipher suite is used for IKE, too. +

A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/alg-sha384/evaltest.dat b/testing/tests/ikev1-algs/alg-sha384/evaltest.dat new file mode 100644 index 0000000000..092bb97282 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha384/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha384)::YES +carol::ip xfrm state::auth-trunc hmac(sha384)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..10c709fff3 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes192-sha384-x25519 + } + } + version = 1 + proposals = aes192-sha384-x25519 + } +} diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..50e6f3b518 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes192-sha384-x25519 + } + } + version = 1 + proposals = aes192-sha384-x25519 + } +} diff --git a/testing/tests/ikev1-algs/alg-sha384/posttest.dat b/testing/tests/ikev1-algs/alg-sha384/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha384/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/ikev1-algs/alg-sha384/pretest.dat similarity index 70% rename from testing/tests/swanctl/crl-to-cache/pretest.dat rename to testing/tests/ikev1-algs/alg-sha384/pretest.dat index 1cf07245b0..87be755a3c 100644 --- a/testing/tests/swanctl/crl-to-cache/pretest.dat +++ b/testing/tests/ikev1-algs/alg-sha384/pretest.dat @@ -2,4 +2,4 @@ moon::systemctl start strongswan carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1-algs/alg-sha384/test.conf similarity index 91% rename from testing/tests/ikev1/esp-alg-aes-xcbc/test.conf rename to testing/tests/ikev1-algs/alg-sha384/test.conf index d7b71426cf..307c7e9cc7 100644 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf +++ b/testing/tests/ikev1-algs/alg-sha384/test.conf @@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/esp-alg-sha1-160/description.txt b/testing/tests/ikev1-algs/alg-sha512/description.txt similarity index 64% rename from testing/tests/ikev2/esp-alg-sha1-160/description.txt rename to testing/tests/ikev1-algs/alg-sha512/description.txt index caa1d3f8aa..0668edc863 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/description.txt +++ b/testing/tests/ikev1-algs/alg-sha512/description.txt @@ -1,3 +1,4 @@ Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_128 / HMAC_SHA1_160 by defining esp=aes128-sha1_160! in ipsec.conf. +aes256-sha512-x25519. The same cipher suite is used for IKE, too. +

A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/alg-sha512/evaltest.dat b/testing/tests/ikev1-algs/alg-sha512/evaltest.dat new file mode 100644 index 0000000000..593d1a3da7 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha512)::YES +carol::ip xfrm state::auth-trunc hmac(sha512)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0eefd982a5 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes256-sha512-x25519 + } + } + version = 1 + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..884e8d989e --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes256-sha512-x25519 + } + } + version = 1 + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev1-algs/alg-sha512/posttest.dat b/testing/tests/ikev1-algs/alg-sha512/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/alg-sha512/pretest.dat b/testing/tests/ikev1-algs/alg-sha512/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/alg-sha512/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev1-algs/alg-sha512/test.conf similarity index 90% rename from testing/tests/ikev2/alg-aes-ctr/test.conf rename to testing/tests/ikev1-algs/alg-sha512/test.conf index 4a5fc470f0..307c7e9cc7 100644 --- a/testing/tests/ikev2/alg-aes-ctr/test.conf +++ b/testing/tests/ikev1-algs/alg-sha512/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt new file mode 100644 index 0000000000..e2c65d8476 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128ccm12-x25519 or alternatively aes128ccm96-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat new file mode 100644 index 0000000000..8bfc8e0efe --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0152b19664 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128ccm12-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4fc57b4e6d --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128ccm96-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf similarity index 90% rename from testing/tests/ikev2/alg-aes-gcm/test.conf rename to testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf index 4a5fc470f0..307c7e9cc7 100644 --- a/testing/tests/ikev2/alg-aes-gcm/test.conf +++ b/testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt new file mode 100644 index 0000000000..aebf5ae17c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes256ctr-aesxcbc-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat new file mode 100644 index 0000000000..16598e9404 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d663f64118 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes256ctr-aesxcbc-x25519 + } + } + version = 1 + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2572693ee1 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes256ctr-aesxcbc-x25519 + } + } + version = 1 + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf similarity index 90% rename from testing/tests/ikev2/alg-3des-md5/test.conf rename to testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf index 4a5fc470f0..307c7e9cc7 100644 --- a/testing/tests/ikev2/alg-3des-md5/test.conf +++ b/testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt new file mode 100644 index 0000000000..5586f96c63 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128gcm16-x25519 or alternatively aes128gcm128-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat new file mode 100644 index 0000000000..ce23a5ca0e --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d76560a178 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..abd5c31172 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gcm/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt new file mode 100644 index 0000000000..9cea5fa9a4 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128gmac-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat new file mode 100644 index 0000000000..512297181e --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4de56df833 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gmac-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ab4d129a2e --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gmac-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-gmac/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt new file mode 100644 index 0000000000..64fcc26888 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128-aesxcbc-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat new file mode 100644 index 0000000000..e441ab0432 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc xcbc(aes)::YES +carol::ip xfrm state::auth-trunc xcbc(aes)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7e170e7582 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-aesxcbc-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..93b7a9d0ea --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-aesxcbc-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-aes-xcbc/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1-algs/esp-alg-null/description.txt b/testing/tests/ikev1-algs/esp-alg-null/description.txt new file mode 100644 index 0000000000..064906bb39 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +null-sha256-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat b/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat new file mode 100644 index 0000000000..06180cd525 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::enc ecb(cipher_null)::YES +carol::ip xfrm state::enc ecb(cipher_null)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ea517dcadb --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = null-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7062549b6b --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = null-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1-algs/esp-alg-null/posttest.dat b/testing/tests/ikev1-algs/esp-alg-null/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1-algs/esp-alg-null/pretest.dat b/testing/tests/ikev1-algs/esp-alg-null/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1-algs/esp-alg-null/test.conf b/testing/tests/ikev1-algs/esp-alg-null/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev1-algs/esp-alg-null/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/.gitignore b/testing/tests/ikev1-multi-ca/.gitignore similarity index 50% rename from testing/tests/swanctl/.gitignore rename to testing/tests/ikev1-multi-ca/.gitignore index 85ae4a3a3b..cfaad76118 100644 --- a/testing/tests/swanctl/.gitignore +++ b/testing/tests/ikev1-multi-ca/.gitignore @@ -1,2 +1 @@ *.pem -*.der diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt b/testing/tests/ikev1-multi-ca/certreq-init/description.txt similarity index 58% rename from testing/tests/ikev1/multi-level-ca-cr-init/description.txt rename to testing/tests/ikev1-multi-ca/certreq-init/description.txt index 602d026c2d..f4f80282f0 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt +++ b/testing/tests/ikev1-multi-ca/certreq-init/description.txt @@ -1,6 +1,6 @@ The VPN gateway moon grants access to the hosts alice and venus to anyone presenting a certificate belonging to a trust chain anchored -in the strongSwan Root CA. The hosts carol and dave have certificates from -the intermediate Research CA and Sales CA, respectively. Initiator moon does not possess -copies of the Research and Sales CA certificates and must therefore request them from -the responders carol and dave, respectively. +in the strongSwan Root CA. The hosts carol and dave have certif +the intermediate Research CA and Sales CA, respectively. Initiator moon does +not possess copies of the Research and Sales CA certificates and must therefore +request them from the responders carol and dave, respectively. diff --git a/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat b/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat new file mode 100644 index 0000000000..f9c149fddf --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..586ac94d7e --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..12ff650f91 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f0074530a0 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } + + dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat b/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat new file mode 100644 index 0000000000..e0fe01f819 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat b/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat new file mode 100644 index 0000000000..40b78eed2d --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-init/pretest.dat @@ -0,0 +1,9 @@ +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::systemctl start strongswan +carol::expect-connection moon +moon::expect-connection carol +moon::swanctl --initiate --child alice 2> /dev/null +dave::expect-connection moon +moon::expect-connection dave +moon::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca-l3/test.conf b/testing/tests/ikev1-multi-ca/certreq-init/test.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/test.conf rename to testing/tests/ikev1-multi-ca/certreq-init/test.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/description.txt b/testing/tests/ikev1-multi-ca/certreq-resp/description.txt new file mode 100644 index 0000000000..0922638002 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/description.txt @@ -0,0 +1,6 @@ +The VPN gateway moon grants access to the hosts alice and +venus to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts carol and dave have certificates +from the intermediate Research CA and Sales CA, respectively. Responder moon +does not possess copies of the Research and Sales CA certificates and must therefore +request them from the initiators carol and dave, respectively. diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat new file mode 100644 index 0000000000..f9c149fddf --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..586ac94d7e --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..12ff650f91 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f0074530a0 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } + + dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat new file mode 100644 index 0000000000..e0fe01f819 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat b/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat new file mode 100644 index 0000000000..b3a7ac336e --- /dev/null +++ b/testing/tests/ikev1-multi-ca/certreq-resp/pretest.dat @@ -0,0 +1,9 @@ +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::systemctl start strongswan +moon::expect-connection carol +carol::expect-connection moon +carol::swanctl --initiate --child alice 2> /dev/null +moon::expect-connection dave +dave::expect-connection moon +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca/test.conf b/testing/tests/ikev1-multi-ca/certreq-resp/test.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/test.conf rename to testing/tests/ikev1-multi-ca/certreq-resp/test.conf diff --git a/testing/tests/ikev1/multi-level-ca/description.txt b/testing/tests/ikev1-multi-ca/crls/description.txt similarity index 100% rename from testing/tests/ikev1/multi-level-ca/description.txt rename to testing/tests/ikev1-multi-ca/crls/description.txt diff --git a/testing/tests/ikev1-multi-ca/crls/evaltest.dat b/testing/tests/ikev1-multi-ca/crls/evaltest.dat new file mode 100644 index 0000000000..f4318b7882 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/crls/evaltest.dat @@ -0,0 +1,18 @@ +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=1 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=1 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bad0e8f9a4 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f808d045d1 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c0307450a5 --- /dev/null +++ b/testing/tests/ikev1-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = researchCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } + + sales { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = salesCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca/posttest.dat b/testing/tests/ikev1-multi-ca/crls/posttest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca/posttest.dat rename to testing/tests/ikev1-multi-ca/crls/posttest.dat diff --git a/testing/tests/swanctl/multi-level-ca-l3/pretest.dat b/testing/tests/ikev1-multi-ca/crls/pretest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/pretest.dat rename to testing/tests/ikev1-multi-ca/crls/pretest.dat diff --git a/testing/tests/swanctl/ocsp-multi-level/test.conf b/testing/tests/ikev1-multi-ca/crls/test.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/test.conf rename to testing/tests/ikev1-multi-ca/crls/test.conf diff --git a/testing/tests/ikev1-stroke/.gitignore b/testing/tests/ikev1-stroke/.gitignore new file mode 100644 index 0000000000..f8443fea46 --- /dev/null +++ b/testing/tests/ikev1-stroke/.gitignore @@ -0,0 +1,4 @@ +*.crl +*.der +*.p12 +*.pem diff --git a/testing/tests/ikev1-stroke/config-payload-push/description.txt b/testing/tests/ikev1-stroke/config-payload-push/description.txt new file mode 100644 index 0000000000..c385f5f6e8 --- /dev/null +++ b/testing/tests/ikev1-stroke/config-payload-push/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The gateway pushes virtual IP addresses to carol and davevia the IKEv1 +Mode Config protocol in push mode. +moon explicitly assigns a specific virtual IP to each of the two clients. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1/rw-ntru-psk/evaltest.dat b/testing/tests/ikev1-stroke/config-payload-push/evaltest.dat similarity index 66% rename from testing/tests/ikev1/rw-ntru-psk/evaltest.dat rename to testing/tests/ikev1-stroke/config-payload-push/evaltest.dat index 3a3de31a2e..9471f88464 100644 --- a/testing/tests/ikev1/rw-ntru-psk/evaltest.dat +++ b/testing/tests/ikev1-stroke/config-payload-push/evaltest.dat @@ -1,17 +1,21 @@ -carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw-carol.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -moon:: ipsec statusall 2> /dev/null::rw-dave.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..b8817fe134 --- /dev/null +++ b/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1-stroke/config-payload-push/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-blowfish/posttest.dat rename to testing/tests/ikev1-stroke/config-payload-push/posttest.dat diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev1-stroke/config-payload-push/pretest.dat similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/pretest.dat rename to testing/tests/ikev1-stroke/config-payload-push/pretest.dat diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1-stroke/config-payload-push/test.conf similarity index 100% rename from testing/tests/ikev1/dynamic-two-peers/test.conf rename to testing/tests/ikev1-stroke/config-payload-push/test.conf diff --git a/testing/tests/ikev1-stroke/config-payload/description.txt b/testing/tests/ikev1-stroke/config-payload/description.txt new file mode 100644 index 0000000000..26d4cce620 --- /dev/null +++ b/testing/tests/ikev1-stroke/config-payload/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv1 Mode Config +protocol by using the leftsourceip=%config parameter. +moon explicitly assigns a specific virtual IP to each of the two clients. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test +the tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1-stroke/config-payload/evaltest.dat b/testing/tests/ikev1-stroke/config-payload/evaltest.dat new file mode 100644 index 0000000000..9471f88464 --- /dev/null +++ b/testing/tests/ikev1-stroke/config-payload/evaltest.dat @@ -0,0 +1,26 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..b8817fe134 --- /dev/null +++ b/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1-stroke/config-payload/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-modp-subgroup/posttest.dat rename to testing/tests/ikev1-stroke/config-payload/posttest.dat diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev1-stroke/config-payload/pretest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/pretest.dat rename to testing/tests/ikev1-stroke/config-payload/pretest.dat diff --git a/testing/tests/ikev1/rw-ntru-psk/test.conf b/testing/tests/ikev1-stroke/config-payload/test.conf similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/test.conf rename to testing/tests/ikev1-stroke/config-payload/test.conf diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/ikev1-stroke/host2host-cert/description.txt old mode 100755 new mode 100644 similarity index 61% rename from testing/tests/swanctl/host2host-cert/description.txt rename to testing/tests/ikev1-stroke/host2host-cert/description.txt index 8f7e6e9f48..6be21bf8f0 --- a/testing/tests/swanctl/host2host-cert/description.txt +++ b/testing/tests/ikev1-stroke/host2host-cert/description.txt @@ -1,6 +1,4 @@ A connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. -

-Upon the successful establishment of the IPsec tunnel, the updown script automatically +The authentication is based on X.509 certificates. leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev1-stroke/host2host-cert/evaltest.dat similarity index 100% rename from testing/tests/ikev2/host2host-swapped/evaltest.dat rename to testing/tests/ikev1-stroke/host2host-cert/evaltest.dat diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev1-stroke/host2host-cert/posttest.dat similarity index 100% rename from testing/tests/ikev2/host2host-swapped/posttest.dat rename to testing/tests/ikev1-stroke/host2host-cert/posttest.dat diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev1-stroke/host2host-cert/pretest.dat similarity index 100% rename from testing/tests/ikev2/host2host-swapped/pretest.dat rename to testing/tests/ikev1-stroke/host2host-cert/pretest.dat diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev1-stroke/host2host-cert/test.conf similarity index 100% rename from testing/tests/ikev2/host2host-swapped/test.conf rename to testing/tests/ikev1-stroke/host2host-cert/test.conf diff --git a/testing/tests/ikev1-stroke/host2host-transport/description.txt b/testing/tests/ikev1-stroke/host2host-transport/description.txt new file mode 100644 index 0000000000..fe3482c96f --- /dev/null +++ b/testing/tests/ikev1-stroke/host2host-transport/description.txt @@ -0,0 +1,4 @@ +An IPsec transport-mode connection between the hosts moon and sun is +successfully set up. leftfirewall=yes automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +moon pings sun. diff --git a/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat b/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat new file mode 100644 index 0000000000..98251d12a3 --- /dev/null +++ b/testing/tests/ikev1-stroke/host2host-transport/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-ntru-cert/posttest.dat b/testing/tests/ikev1-stroke/host2host-transport/posttest.dat similarity index 99% rename from testing/tests/ikev2/net2net-ntru-cert/posttest.dat rename to testing/tests/ikev1-stroke/host2host-transport/posttest.dat index 837738fc6a..1f7aa73a15 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/posttest.dat +++ b/testing/tests/ikev1-stroke/host2host-transport/posttest.dat @@ -2,4 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev1-stroke/host2host-transport/pretest.dat b/testing/tests/ikev1-stroke/host2host-transport/pretest.dat new file mode 100644 index 0000000000..36a8423217 --- /dev/null +++ b/testing/tests/ikev1-stroke/host2host-transport/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::ipsec start +moon::ipsec start +sun::expect-connection host-host +moon::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/ikev1-stroke/host2host-transport/test.conf old mode 100755 new mode 100644 similarity index 90% rename from testing/tests/swanctl/host2host-transport/test.conf rename to testing/tests/ikev1-stroke/host2host-transport/test.conf index 52d886dcce..5a286c84fe --- a/testing/tests/swanctl/host2host-transport/test.conf +++ b/testing/tests/ikev1-stroke/host2host-transport/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s.png" @@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev1-stroke/ip-pool-db/description.txt b/testing/tests/ikev1-stroke/ip-pool-db/description.txt new file mode 100644 index 0000000000..9cf0787881 --- /dev/null +++ b/testing/tests/ikev1-stroke/ip-pool-db/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv1 Mode Config +payload by using the leftsourceip=%config parameter. moon assigns virtual IP +addresses from a pool named bigpool that was created in an SQL database by the command +ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat b/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat new file mode 100644 index 0000000000..925e9a12f8 --- /dev/null +++ b/testing/tests/ikev1-stroke/ip-pool-db/evaltest.dat @@ -0,0 +1,38 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES +moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES +moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/ikev1-stroke/ip-pool-db/posttest.dat old mode 100755 new mode 100644 similarity index 50% rename from testing/tests/swanctl/ip-pool-db/posttest.dat rename to testing/tests/ikev1-stroke/ip-pool-db/posttest.dat index b18231a2e4..37436a3d9f --- a/testing/tests/swanctl/ip-pool-db/posttest.dat +++ b/testing/tests/ikev1-stroke/ip-pool-db/posttest.dat @@ -1,11 +1,9 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::ipsec pool --del big_pool 2> /dev/null +moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/ikev1-stroke/ip-pool-db/pretest.dat old mode 100755 new mode 100644 similarity index 66% rename from testing/tests/swanctl/ip-pool-db/pretest.dat rename to testing/tests/ikev1-stroke/ip-pool-db/pretest.dat index 448aa260df..c422045925 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1-stroke/ip-pool-db/pretest.dat @@ -1,17 +1,17 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db -moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null +moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev1-stroke/ip-pool-db/test.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/test.conf rename to testing/tests/ikev1-stroke/ip-pool-db/test.conf diff --git a/testing/tests/ikev1-stroke/ip-pool/description.txt b/testing/tests/ikev1-stroke/ip-pool/description.txt new file mode 100644 index 0000000000..eeaf4dd964 --- /dev/null +++ b/testing/tests/ikev1-stroke/ip-pool/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv1 Mode Config payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual +IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +increasing order. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1-stroke/ip-pool/evaltest.dat b/testing/tests/ikev1-stroke/ip-pool/evaltest.dat new file mode 100644 index 0000000000..c558592910 --- /dev/null +++ b/testing/tests/ikev1-stroke/ip-pool/evaltest.dat @@ -0,0 +1,30 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES +moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/rw-ntru-psk/posttest.dat b/testing/tests/ikev1-stroke/ip-pool/posttest.dat similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/posttest.dat rename to testing/tests/ikev1-stroke/ip-pool/posttest.dat diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1-stroke/ip-pool/pretest.dat similarity index 100% rename from testing/tests/ikev1/alg-blowfish/pretest.dat rename to testing/tests/ikev1-stroke/ip-pool/pretest.dat diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1-stroke/ip-pool/test.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/test.conf rename to testing/tests/ikev1-stroke/ip-pool/test.conf diff --git a/testing/tests/ikev1-stroke/nat-rw/description.txt b/testing/tests/ikev1-stroke/nat-rw/description.txt new file mode 100644 index 0000000000..afcb6abc7b --- /dev/null +++ b/testing/tests/ikev1-stroke/nat-rw/description.txt @@ -0,0 +1,6 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, +the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev1-stroke/nat-rw/evaltest.dat b/testing/tests/ikev1-stroke/nat-rw/evaltest.dat new file mode 100644 index 0000000000..2d265b0d13 --- /dev/null +++ b/testing/tests/ikev1-stroke/nat-rw/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf similarity index 89% rename from testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf index ea9e55c5fa..9d07c88e40 100644 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf @@ -3,5 +3,5 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1088 + keep_alive = 5 } diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf similarity index 89% rename from testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf index ea9e55c5fa..9d07c88e40 100644 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf @@ -3,5 +3,5 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1088 + keep_alive = 5 } diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/ikev1-stroke/nat-rw/posttest.dat similarity index 62% rename from testing/tests/swanctl/nat-rw-psk/posttest.dat rename to testing/tests/ikev1-stroke/nat-rw/posttest.dat index 5f390cd62c..bc7d237710 100644 --- a/testing/tests/swanctl/nat-rw-psk/posttest.dat +++ b/testing/tests/ikev1-stroke/nat-rw/posttest.dat @@ -1,6 +1,6 @@ -sun::systemctl stop strongswan -alice::systemctl stop strongswan -venus::systemctl stop strongswan +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/ikev1-stroke/nat-rw/pretest.dat similarity index 71% rename from testing/tests/swanctl/nat-rw/pretest.dat rename to testing/tests/ikev1-stroke/nat-rw/pretest.dat index a1f1cffea7..36d23b5704 100644 --- a/testing/tests/swanctl/nat-rw/pretest.dat +++ b/testing/tests/ikev1-stroke/nat-rw/pretest.dat @@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::systemctl start strongswan -alice::systemctl start strongswan -venus::systemctl start strongswan +sun::ipsec start +alice::ipsec start +venus::ipsec start sun::expect-connection nat-t alice::expect-connection nat-t -alice::swanctl --initiate --child nat-t +alice::ipsec up nat-t venus::expect-connection nat-t -venus::swanctl --initiate --child nat-t +venus::ipsec up nat-t diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/ikev1-stroke/nat-rw/test.conf similarity index 91% rename from testing/tests/swanctl/nat-rw-psk/test.conf rename to testing/tests/ikev1-stroke/nat-rw/test.conf index ecc95b8375..f515d4bc73 100644 --- a/testing/tests/swanctl/nat-rw-psk/test.conf +++ b/testing/tests/ikev1-stroke/nat-rw/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1-stroke/net2net-cert/description.txt similarity index 67% rename from testing/tests/ikev1/net2net-fragmentation/description.txt rename to testing/tests/ikev1-stroke/net2net-cert/description.txt index 6fe773299d..1617634147 100644 --- a/testing/tests/ikev1/net2net-fragmentation/description.txt +++ b/testing/tests/ikev1-stroke/net2net-cert/description.txt @@ -1,7 +1,5 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates. The proprietary IKEv1 fragmentation -protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509 -certificates. +The authentication is based on X.509 certificates.

Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev1-stroke/net2net-cert/evaltest.dat similarity index 68% rename from testing/tests/ikev2/net2net-ntru-cert/evaltest.dat rename to testing/tests/ikev1-stroke/net2net-cert/evaltest.dat index 1ac624e40a..fe4aa5ab10 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat +++ b/testing/tests/ikev1-stroke/net2net-cert/evaltest.dat @@ -2,8 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES -sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1-stroke/net2net-cert/posttest.dat similarity index 100% rename from testing/tests/ikev1/net2net-fragmentation/posttest.dat rename to testing/tests/ikev1-stroke/net2net-cert/posttest.dat diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1-stroke/net2net-cert/pretest.dat similarity index 100% rename from testing/tests/ikev1/net2net-fragmentation/pretest.dat rename to testing/tests/ikev1-stroke/net2net-cert/pretest.dat diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1-stroke/net2net-cert/test.conf similarity index 100% rename from testing/tests/ikev1/net2net-fragmentation/test.conf rename to testing/tests/ikev1-stroke/net2net-cert/test.conf diff --git a/testing/tests/swanctl/net2net-psk/description.txt b/testing/tests/ikev1-stroke/net2net-psk/description.txt old mode 100755 new mode 100644 similarity index 80% rename from testing/tests/swanctl/net2net-psk/description.txt rename to testing/tests/ikev1-stroke/net2net-psk/description.txt index e064a99deb..07320d7313 --- a/testing/tests/swanctl/net2net-psk/description.txt +++ b/testing/tests/ikev1-stroke/net2net-psk/description.txt @@ -1,7 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on Preshared Keys (PSK).

-Upon the successful establishment of the IPsec tunnel, the updown script automatically +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev1-stroke/net2net-psk/evaltest.dat similarity index 68% rename from testing/tests/ikev1/net2net-ntru-cert/evaltest.dat rename to testing/tests/ikev1-stroke/net2net-psk/evaltest.dat index 1ac624e40a..fe4aa5ab10 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat +++ b/testing/tests/ikev1-stroke/net2net-psk/evaltest.dat @@ -2,8 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES -sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-rekey/posttest.dat b/testing/tests/ikev1-stroke/net2net-psk/posttest.dat similarity index 99% rename from testing/tests/ikev2/net2net-rekey/posttest.dat rename to testing/tests/ikev1-stroke/net2net-psk/posttest.dat index 837738fc6a..1f7aa73a15 100644 --- a/testing/tests/ikev2/net2net-rekey/posttest.dat +++ b/testing/tests/ikev1-stroke/net2net-psk/posttest.dat @@ -2,4 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev1-stroke/net2net-psk/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/pretest.dat rename to testing/tests/ikev1-stroke/net2net-psk/pretest.dat diff --git a/testing/tests/ikev2/net2net-cert-sha2/test.conf b/testing/tests/ikev1-stroke/net2net-psk/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/test.conf rename to testing/tests/ikev1-stroke/net2net-psk/test.conf diff --git a/testing/tests/swanctl/protoport-dual/description.txt b/testing/tests/ikev1-stroke/protoport-dual/description.txt similarity index 54% rename from testing/tests/swanctl/protoport-dual/description.txt rename to testing/tests/ikev1-stroke/protoport-dual/description.txt index 35c5b3967a..7bed8b9590 100644 --- a/testing/tests/swanctl/protoport-dual/description.txt +++ b/testing/tests/ikev1-stroke/protoport-dual/description.txt @@ -1,7 +1,6 @@ -Using [<protocol>/<port>] selectors in the -local_ts and remote_ts child parameters, two IPsec tunnels -between the roadwarrior carol and the gateway moon are defined. -The first CHILD_SA is restricted to ICMP packets and the second +Using the left|rightprotoport selectors, two IPsec tunnels +between the roadwarrior carol and the gateway moon are +defined. The first IPsec SA is restricted to ICMP packets and the second covers TCP-based SSH connections. The established tunnels are tested by carol by first pinging alice behind moon and then setting up an SSH session to the same client. diff --git a/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat b/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat new file mode 100644 index 0000000000..7d367e3c15 --- /dev/null +++ b/testing/tests/ikev1-stroke/protoport-dual/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1-stroke/protoport-dual/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-3des-md5/posttest.dat rename to testing/tests/ikev1-stroke/protoport-dual/posttest.dat diff --git a/testing/tests/ikev1-stroke/protoport-dual/pretest.dat b/testing/tests/ikev1-stroke/protoport-dual/pretest.dat new file mode 100644 index 0000000000..02f4aa82be --- /dev/null +++ b/testing/tests/ikev1-stroke/protoport-dual/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-icmp +moon::expect-connection rw-ssh +carol::expect-connection home-icmp +carol::expect-connection home-ssh +carol::ipsec up home-icmp +carol::ipsec up home-ssh diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1-stroke/protoport-dual/test.conf similarity index 100% rename from testing/tests/ikev1/alg-3des-md5/test.conf rename to testing/tests/ikev1-stroke/protoport-dual/test.conf diff --git a/testing/tests/swanctl/rw-hash-and-url/description.txt b/testing/tests/ikev1-stroke/rw-cert/description.txt old mode 100755 new mode 100644 similarity index 82% rename from testing/tests/swanctl/rw-hash-and-url/description.txt rename to testing/tests/ikev1-stroke/rw-cert/description.txt index 6af7a39ae2..15b3822b5c --- a/testing/tests/swanctl/rw-hash-and-url/description.txt +++ b/testing/tests/ikev1-stroke/rw-cert/description.txt @@ -1,6 +1,6 @@ The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, the updown script +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1-stroke/rw-cert/evaltest.dat similarity index 83% rename from testing/tests/ikev1/alg-modp-subgroup/evaltest.dat rename to testing/tests/ikev1-stroke/rw-cert/evaltest.dat index 0543bcccb8..be78c51259 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat +++ b/testing/tests/ikev1-stroke/rw-cert/evaltest.dat @@ -6,8 +6,6 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..7b9888ed6a --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..7b9888ed6a --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..57498d592d --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown + + integrity_test = yes + + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1-stroke/rw-cert/posttest.dat similarity index 100% rename from testing/tests/ikev1/virtual-ip/posttest.dat rename to testing/tests/ikev1-stroke/rw-cert/posttest.dat diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-stroke/rw-cert/pretest.dat similarity index 100% rename from testing/tests/ikev1/alg-modp-subgroup/pretest.dat rename to testing/tests/ikev1-stroke/rw-cert/pretest.dat diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1-stroke/rw-cert/test.conf similarity index 100% rename from testing/tests/ikev1/alg-blowfish/test.conf rename to testing/tests/ikev1-stroke/rw-cert/test.conf diff --git a/testing/tests/swanctl/rw-psk-fqdn/description.txt b/testing/tests/ikev1-stroke/rw-psk-fqdn/description.txt old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/description.txt rename to testing/tests/ikev1-stroke/rw-psk-fqdn/description.txt diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat new file mode 100644 index 0000000000..4dfc92fe8b --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/evaltest.dat @@ -0,0 +1,14 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-blowfish/posttest.dat rename to testing/tests/ikev1-stroke/rw-psk-fqdn/posttest.dat diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/pretest.dat rename to testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat index 1e38590b66..0fb389dabf 100644 --- a/testing/tests/ikev1/rw-ntru-psk/pretest.dat +++ b/testing/tests/ikev1-stroke/rw-psk-fqdn/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start moon::expect-connection rw-carol carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1-stroke/rw-psk-fqdn/test.conf similarity index 100% rename from testing/tests/ikev1/alg-modp-subgroup/test.conf rename to testing/tests/ikev1-stroke/rw-psk-fqdn/test.conf diff --git a/testing/tests/swanctl/rw-psk-ipv4/description.txt b/testing/tests/ikev1-stroke/rw-psk-ipv4/description.txt old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/rw-psk-ipv4/description.txt rename to testing/tests/ikev1-stroke/rw-psk-ipv4/description.txt diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat new file mode 100644 index 0000000000..4e08d5979f --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,14 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-modp-subgroup/posttest.dat rename to testing/tests/ikev1-stroke/rw-psk-ipv4/posttest.dat diff --git a/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat new file mode 100644 index 0000000000..0fb389dabf --- /dev/null +++ b/testing/tests/ikev1-stroke/rw-psk-ipv4/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-carol +carol::expect-connection home +carol::ipsec up home +moon::expect-connection rw-dave +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev1-stroke/rw-psk-ipv4/test.conf similarity index 100% rename from testing/tests/ikev2/alg-blowfish/test.conf rename to testing/tests/ikev1-stroke/rw-psk-ipv4/test.conf diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1-stroke/virtual-ip/description.txt similarity index 100% rename from testing/tests/ikev1/virtual-ip/description.txt rename to testing/tests/ikev1-stroke/virtual-ip/description.txt diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1-stroke/virtual-ip/evaltest.dat similarity index 100% rename from testing/tests/ikev1/virtual-ip/evaltest.dat rename to testing/tests/ikev1-stroke/virtual-ip/evaltest.dat diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev1-stroke/virtual-ip/posttest.dat similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/posttest.dat rename to testing/tests/ikev1-stroke/virtual-ip/posttest.dat diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1-stroke/virtual-ip/pretest.dat similarity index 100% rename from testing/tests/ikev1/virtual-ip/pretest.dat rename to testing/tests/ikev1-stroke/virtual-ip/pretest.dat diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev1-stroke/virtual-ip/test.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/test.conf rename to testing/tests/ikev1-stroke/virtual-ip/test.conf diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt b/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt new file mode 100644 index 0000000000..2a5eb8d975 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. Next carol and dave request a +virtual IP via the IKEv1 Mode Config protocol by using the leftsourceip=%config +parameter. The virtual IP addresses are registered under the users' XAUTH identity. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat new file mode 100644 index 0000000000..210072e86c --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/evaltest.dat @@ -0,0 +1,24 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d6dcd99d02 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown +} diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..d6dcd99d02 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown +} diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..4f0b4be879 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown + + dns1 = 192.168.0.150 + dns2 = 10.1.0.20 +} diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/posttest.dat similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/posttest.dat rename to testing/tests/ikev1-stroke/xauth-id-psk-config/posttest.dat diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-psk-config/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/pretest.dat rename to testing/tests/ikev1-stroke/xauth-id-psk-config/pretest.dat diff --git a/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf b/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf new file mode 100644 index 0000000000..9b1ec0b545 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-psk-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt b/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt new file mode 100644 index 0000000000..feb154d49d --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol and dave +based on user names defined by the xauth_identity parameter (carol and dave, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +Next both carol and dave request a virtual IP via the IKE Mode Config +protocol by using the leftsourceip=%config parameter. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat new file mode 100644 index 0000000000..13e4b26a92 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/evaltest.dat @@ -0,0 +1,20 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..b635720d1a --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/posttest.dat similarity index 100% rename from testing/tests/ikev2/farp/posttest.dat rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/posttest.dat diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat new file mode 100644 index 0000000000..2eddae2d8f --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-config/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-carol +moon::expect-connection rw-dave +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-config/test.conf similarity index 100% rename from testing/tests/ikev2/alg-modp-subgroup/test.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-config/test.conf diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt new file mode 100644 index 0000000000..88351ffda3 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon +using IKEv1 Hybrid Mode. +The authentication of moon is based on an RSA signature combined with a X.509 certificate, +followed by an extended authentication (XAUTH) of carol and dave +based on user names defined by the xauth_identity parameter (carol and dave, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat new file mode 100644 index 0000000000..b482ddba38 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/evaltest.dat @@ -0,0 +1,16 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..b635720d1a --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/posttest.dat similarity index 100% rename from testing/tests/ikev2/forecast/posttest.dat rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/posttest.dat diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/pretest.dat similarity index 100% rename from testing/tests/ikev2/alg-blowfish/pretest.dat rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/pretest.dat diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/test.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/test.conf rename to testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/test.conf diff --git a/testing/tests/ikev1-stroke/xauth-psk/description.txt b/testing/tests/ikev1-stroke/xauth-psk/description.txt new file mode 100644 index 0000000000..08816ef233 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-psk/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) followed by extended +authentication (XAUTH) of carol and dave based on user names and passwords. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat b/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat new file mode 100644 index 0000000000..90cf05c315 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-psk/evaltest.dat @@ -0,0 +1,16 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..73a4271bd5 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..73a4271bd5 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..73a4271bd5 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev1-stroke/xauth-psk/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/posttest.dat rename to testing/tests/ikev1-stroke/xauth-psk/posttest.dat diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/ikev1-stroke/xauth-psk/pretest.dat old mode 100755 new mode 100644 similarity index 52% rename from testing/tests/swanctl/rw-cert/pretest.dat rename to testing/tests/ikev1-stroke/xauth-psk/pretest.dat index 3d37a86e52..ee5bc7c721 --- a/testing/tests/swanctl/rw-cert/pretest.dat +++ b/testing/tests/ikev1-stroke/xauth-psk/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1-stroke/xauth-psk/test.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/test.conf rename to testing/tests/ikev1-stroke/xauth-psk/test.conf diff --git a/testing/tests/ikev1-stroke/xauth-rsa/description.txt b/testing/tests/ikev1-stroke/xauth-rsa/description.txt new file mode 100644 index 0000000000..6ad07e957c --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-rsa/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol and dave +based on user names equal to the IKEv1 identities carol@strongswan.org and +dave@strongswan.org, respectively and corresponding user passwords defined and +stored in ipsec.secrets. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat b/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat new file mode 100644 index 0000000000..90cf05c315 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-rsa/evaltest.dat @@ -0,0 +1,16 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..b635720d1a --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..e3bada0fc9 --- /dev/null +++ b/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1-stroke/xauth-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat rename to testing/tests/ikev1-stroke/xauth-rsa/posttest.dat diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1-stroke/xauth-rsa/pretest.dat similarity index 100% rename from testing/tests/ikev2/alg-modp-subgroup/pretest.dat rename to testing/tests/ikev1-stroke/xauth-rsa/pretest.dat diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev1-stroke/xauth-rsa/test.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/test.conf rename to testing/tests/ikev1-stroke/xauth-rsa/test.conf diff --git a/testing/tests/ikev1/.gitignore b/testing/tests/ikev1/.gitignore index cfaad76118..f8443fea46 100644 --- a/testing/tests/ikev1/.gitignore +++ b/testing/tests/ikev1/.gitignore @@ -1 +1,4 @@ +*.crl +*.der +*.p12 *.pem diff --git a/testing/tests/ikev1/alg-3des-md5/description.txt b/testing/tests/ikev1/alg-3des-md5/description.txt deleted file mode 100644 index 4c39d0b049..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -3DES_CBC / HMAC_MD5_96 by defining esp=3des-md5-modp1024! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat deleted file mode 100644 index b5009aaef7..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES -moon:: ip xfrm state::enc cbc(des3_ede)::YES -carol::ip xfrm state::enc cbc(des3_ede)::YES -moon:: ip xfrm state::auth-trunc hmac(md5)::YES -carol::ip xfrm state::auth-trunc hmac(md5)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 11874bbe44..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-md5-modp1024! - esp=3des-md5-modp1024! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 2c4f3fc214..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 41fb1f7db4..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-md5-modp1024! - esp=3des-md5-modp1024! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 66ff24601f..0000000000 --- a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat deleted file mode 100644 index a4f1f29983..0000000000 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES -dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES -carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES - diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf deleted file mode 100644 index db409be435..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d69a7b8082..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf deleted file mode 100644 index fd3343c1aa..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf deleted file mode 100644 index a3c9999f77..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f3c84ece89..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha384,blowfish128-sha256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf deleted file mode 100644 index a3c9999f77..0000000000 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 15b6ec8318..0000000000 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3f13273876..0000000000 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b3f7654777..0000000000 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 192df5abdb..0000000000 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt deleted file mode 100644 index f7e53913c1..0000000000 --- a/testing/tests/ikev1/alg-sha256/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_128 / HMAC_SHA2_256_128 by defining esp=aes128-sha256-curve25519! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat deleted file mode 100644 index d9ff9475e8..0000000000 --- a/testing/tests/ikev1/alg-sha256/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES -moon:: ip xfrm state::auth-trunc hmac(sha256)::YES -carol::ip xfrm state::auth-trunc hmac(sha256)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 25fce18819..0000000000 --- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=aes128-sha256-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b3e5df10b6..0000000000 --- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=aes128-sha256-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt deleted file mode 100644 index f96ea5c4f2..0000000000 --- a/testing/tests/ikev1/alg-sha384/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_192 / HMAC_SHA2_384_192 by defining esp=aes192-sha384-curve25519! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat deleted file mode 100644 index 3a533566f9..0000000000 --- a/testing/tests/ikev1/alg-sha384/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES -moon:: ip xfrm state::auth-trunc hmac(sha384)::YES -carol::ip xfrm state::auth-trunc hmac(sha384)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 9e7f48868a..0000000000 --- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-curve25519! - esp=aes192-sha384-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d4c4a6f6d7..0000000000 --- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-curve25519! - esp=aes192-sha384-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt deleted file mode 100644 index bf79a3bff7..0000000000 --- a/testing/tests/ikev1/alg-sha512/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_256 / HMAC_SHA2_512_256 by defining esp=aes256-sha512-modp4096! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat deleted file mode 100644 index 3c39e2cd85..0000000000 --- a/testing/tests/ikev1/alg-sha512/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES -moon:: ip xfrm state::auth-trunc hmac(sha512)::YES -carol::ip xfrm state::auth-trunc hmac(sha512)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 79272111cb..0000000000 --- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3f13273876..0000000000 --- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bdfcb4e4d1..0000000000 --- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/compress/description.txt b/testing/tests/ikev1/compress/description.txt index 47829839dd..4c60384f0b 100644 --- a/testing/tests/ikev1/compress/description.txt +++ b/testing/tests/ikev1/compress/description.txt @@ -1,3 +1,4 @@ -This scenario enables IPCOMP compression between roadwarrior carol and -gateway moon. Two pings from carol to alice checks -the established tunnel with compression. +This scenario enables IPComp compression between roadwarrior carol and +gateway moon. Two pings from carol to alice check +the established tunnel with compression. The packet sizes of the two pings +are different because the kernel does not compress small packets. diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat index 2ec840c682..8715ef166b 100644 --- a/testing/tests/ikev1/compress/evaltest.dat +++ b/testing/tests/ikev1/compress/evaltest.dat @@ -1,9 +1,8 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES -carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 291b8cc931..0000000000 --- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - compress=yes - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..d42a9804c8 100644 --- a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..56a2840655 --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-sha256-x25519 + ipcomp = yes + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 28cf2d1c0d..0000000000 --- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - compress=yes - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e3f2d0261a --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/compress/posttest.dat b/testing/tests/ikev1/compress/posttest.dat index c6d6235f9d..ec5d4c48ad 100644 --- a/testing/tests/ikev1/compress/posttest.dat +++ b/testing/tests/ikev1/compress/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev1/compress/pretest.dat +++ b/testing/tests/ikev1/compress/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf index d7b71426cf..307c7e9cc7 100644 --- a/testing/tests/ikev1/compress/test.conf +++ b/testing/tests/ikev1/compress/test.conf @@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/config-payload-push/description.txt b/testing/tests/ikev1/config-payload-push/description.txt old mode 100644 new mode 100755 index 36f47799e9..f6929e2921 --- a/testing/tests/ikev1/config-payload-push/description.txt +++ b/testing/tests/ikev1/config-payload-push/description.txt @@ -1,8 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -The gateway pushes virtual IP addresses to carol and davevia the IKEv1 -Mode Config protocol in push mode. +Both carol and dave request a virtual IP via the IKEv1 Mode Config +protocol in push mode by using the vips = 0.0.0.0 parameter. +moon explicitly assigns a specific virtual IP to each of the two clients.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnels, carol and dave then ping the -client alice behind the gateway moon. The source IP addresses of the two pings -will be the virtual IPs carol1 and dave1, respectively. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to +test the tunnels, carol and dave then ping the client alice behind +the gateway moon. The source IP addresses of the two pings will be the virtual +IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1/config-payload-push/evaltest.dat b/testing/tests/ikev1/config-payload-push/evaltest.dat old mode 100644 new mode 100755 index 9471f88464..358871285e --- a/testing/tests/ikev1/config-payload-push/evaltest.dat +++ b/testing/tests/ikev1/config-payload-push/evaltest.dat @@ -1,26 +1,16 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..ad4c18e437 --- a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1879c5fc19 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + pull = no + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..ad4c18e437 --- a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ce816e924e --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + pull = no + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index b8817fe134..ad4c18e437 --- a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100755 index 0000000000..c1ccf077cb --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,18 @@ + local_addrs = 192.168.0.1 + pull = no + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-curve25519 + } + } + version = 1 + proposals = aes128-sha256-curve25519 diff --git a/testing/tests/ikev1/config-payload-push/posttest.dat b/testing/tests/ikev1/config-payload-push/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/config-payload-push/posttest.dat +++ b/testing/tests/ikev1/config-payload-push/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat old mode 100644 new mode 100755 index bdbe341dd3..28f600c9d5 --- a/testing/tests/ikev1/config-payload-push/pretest.dat +++ b/testing/tests/ikev1/config-payload-push/pretest.dat @@ -1,11 +1,12 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/config-payload-push/test.conf b/testing/tests/ikev1/config-payload-push/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev1/config-payload-push/test.conf +++ b/testing/tests/ikev1/config-payload-push/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/config-payload/description.txt b/testing/tests/ikev1/config-payload/description.txt old mode 100644 new mode 100755 index ff6928e894..19d31981e0 --- a/testing/tests/ikev1/config-payload/description.txt +++ b/testing/tests/ikev1/config-payload/description.txt @@ -1,7 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKE Mode Config protocol -by using the leftsourceip=%config parameter. leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the -tunnels, carol and dave then ping the client alice behind the gateway -moon. The source IP addresses of the two pings will be the virtual IPs carol1 -and dave1, respectively. +Both carol and dave request a virtual IP via the IKEv1 Mode Config +protocol by using the vips = 0.0.0.0 parameter. +moon explicitly assigns a specific virtual IP to each of the two clients. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to +test the tunnels, carol and dave then ping the client alice behind +the gateway moon. The source IP addresses of the two pings will be the virtual +IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat old mode 100644 new mode 100755 index 9471f88464..358871285e --- a/testing/tests/ikev1/config-payload/evaltest.dat +++ b/testing/tests/ikev1/config-payload/evaltest.dat @@ -1,26 +1,16 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..ad4c18e437 --- a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..292131157d --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..ad4c18e437 --- a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..9a29833a14 --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index b8817fe134..ad4c18e437 --- a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5b4f02142b --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol_vip + + remote { + auth = pubkey + id = carol@strongswan.org + } + } + + rw-dave { + include swanctl_base.conf + pools = dave_vip + + remote { + auth = pubkey + id = dave@strongswan.org + } + } + +} + +pools { + + carol_vip { + addrs = 10.3.0.1 + } + + dave_vip { + addrs = 10.3.0.2 + } +} diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100755 index 0000000000..cad2d0363d --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,17 @@ + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-curve25519 + } + } + version = 1 + proposals = aes128-sha256-curve25519 diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/config-payload/posttest.dat +++ b/testing/tests/ikev1/config-payload/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat old mode 100644 new mode 100755 index bdbe341dd3..28f600c9d5 --- a/testing/tests/ikev1/config-payload/pretest.dat +++ b/testing/tests/ikev1/config-payload/pretest.dat @@ -1,11 +1,12 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev1/config-payload/test.conf +++ b/testing/tests/ikev1/config-payload/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/double-nat-net/description.txt b/testing/tests/ikev1/double-nat-net/description.txt index ff09155f6e..19fcf274ef 100644 --- a/testing/tests/ikev1/double-nat-net/description.txt +++ b/testing/tests/ikev1/double-nat-net/description.txt @@ -1,7 +1,9 @@ The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to the subnet hiding behind the NAT router sun. All IKE and ESP traffic directed to the router sun is forwarded to the VPN gateway bob -using destination NAT. UDP encapsulation is used to traverse the NAT routers. -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test the double NAT-ed IPsec -tunnel alice pings the inner IP address of the router sun. +using destination NAT. UDP encapsulation is used to traverse the NAT routers. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the double NAT-ed IPsec tunnel alice pings the inner IP address +of the router sun. \ No newline at end of file diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat index af29ce7b99..99fb91bfc6 100644 --- a/testing/tests/ikev1/double-nat-net/evaltest.dat +++ b/testing/tests/ikev1/double-nat-net/evaltest.dat @@ -1,7 +1,5 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES -bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +bob:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 836a8b3225..0000000000 --- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=bob@strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6c97f5c189 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + remote_addrs = sun.strongswan.org + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = bob@strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf deleted file mode 100644 index fa1ccacb1a..0000000000 --- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftsubnet=10.2.0.0/16 - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftfirewall=yes - right=%any - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..96f22950f1 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + nat-t { + + local { + auth = pubkey + certs = bobCert.pem + id = bob@strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat index ec663e70d9..5eee039227 100644 --- a/testing/tests/ikev1/double-nat-net/posttest.dat +++ b/testing/tests/ikev1/double-nat-net/posttest.dat @@ -1,5 +1,5 @@ -bob::ipsec stop -alice::ipsec stop +bob::systemctl stop strongswan +alice::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat index 4b4c8ceaf3..09dbe38c6d 100644 --- a/testing/tests/ikev1/double-nat-net/pretest.dat +++ b/testing/tests/ikev1/double-nat-net/pretest.dat @@ -5,8 +5,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB sun::ip route add 10.1.0.0/16 via PH_IP_BOB -bob::ipsec start -alice::ipsec start +bob::systemctl start strongswan +alice::systemctl start strongswan bob::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf index d2e31d257a..33e1825b84 100644 --- a/testing/tests/ikev1/double-nat-net/test.conf +++ b/testing/tests/ikev1/double-nat-net/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice bob" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/double-nat/description.txt b/testing/tests/ikev1/double-nat/description.txt index ce7de0e56c..1f2a6b734a 100644 --- a/testing/tests/ikev1/double-nat/description.txt +++ b/testing/tests/ikev1/double-nat/description.txt @@ -1,5 +1,7 @@ The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to the peer bob hiding behind the NAT router sun. UDP encapsulation is used to -traverse the NAT routers. leftfirewall=yes automatically inserts iptables-based -firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec -tunnel alice pings bob. +traverse the NAT routers. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the double NAT-ed IPsec tunnel alice pings bob. diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat index 903226706e..735c938ca7 100644 --- a/testing/tests/ikev1/double-nat/evaltest.dat +++ b/testing/tests/ikev1/double-nat/evaltest.dat @@ -1,7 +1,5 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES -bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.10/32]::YES +bob:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.2.0.10/32] remote-ts=\[10.1.0.10/32]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 6b40252cf4..0000000000 --- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=bob@strongswan.org - rightsubnet=PH_IP_BOB/32 - auto=add diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2a9897d853 --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + remote_addrs = sun.strongswan.org + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = bob@strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.10 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf deleted file mode 100644 index 89640564d3..0000000000 --- a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftfirewall=yes - right=%any - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f1d5c7dbde --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + nat-t { + + local { + auth = pubkey + certs = bobCert.pem + id = bob@strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat index f434b336c2..7445fb4595 100644 --- a/testing/tests/ikev1/double-nat/posttest.dat +++ b/testing/tests/ikev1/double-nat/posttest.dat @@ -1,5 +1,5 @@ -bob::ipsec stop -alice::ipsec stop +bob::systemctl stop strongswan +alice::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat index 5fe5eae49d..5376a59ed8 100644 --- a/testing/tests/ikev1/double-nat/pretest.dat +++ b/testing/tests/ikev1/double-nat/pretest.dat @@ -4,8 +4,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to- moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB -bob::ipsec start -alice::ipsec start +bob::systemctl start strongswan +alice::systemctl start strongswan bob::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf index d2e31d257a..33e1825b84 100644 --- a/testing/tests/ikev1/double-nat/test.conf +++ b/testing/tests/ikev1/double-nat/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice bob" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt index 0fb2f10649..19cc5646c0 100644 --- a/testing/tests/ikev1/dpd-clear/description.txt +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -2,4 +2,3 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway < which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, moon clears the connection after a number of unsuccessful retransmits. - diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat index 8d4fa03a86..fddb771777 100644 --- a/testing/tests/ikev1/dpd-clear/evaltest.dat +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -1,7 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: sleep 16::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6812907e84..0000000000 --- a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev1 - auto=add diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf index af5fa19ef1..d42a9804c8 100644 --- a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d76560a178 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9219e70283..0000000000 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - dpdaction=clear - dpddelay=5 - dpdtimeout=15 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b307d32b46 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + dpd_action = clear + } + } + version = 1 + proposals = aes128-sha256-x25519 + dpd_delay = 5 + dpd_timeout = 15 + } +} diff --git a/testing/tests/ikev1/dpd-clear/posttest.dat b/testing/tests/ikev1/dpd-clear/posttest.dat index 931db4272e..617eff3d7b 100644 --- a/testing/tests/ikev1/dpd-clear/posttest.dat +++ b/testing/tests/ikev1/dpd-clear/posttest.dat @@ -1,3 +1,3 @@ carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev1/dpd-clear/pretest.dat +++ b/testing/tests/ikev1/dpd-clear/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev1/dpd-clear/test.conf +++ b/testing/tests/ikev1/dpd-clear/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt index 6f4af94393..4c3e027d43 100644 --- a/testing/tests/ikev1/dpd-restart/description.txt +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon. Both end points activate Dead Peer Detection (DPD) with a -polling interval of 10s. When the network connectivity between carol -and moon is forcefully disrupted for a duration of 100s, moon -clears the connection after a number of unsuccessful retransmits whereas carol -also takes down the connection but immediately tries to reconnect which succeeds -as soon as the connection becomes available again. +polling interval of 10 s. When the network connectivity between carol +and moon is forcefully disrupted, moon clears the connection after +some unsuccessful retransmits whereas carol also takes down the connection +but immediately tries to reconnect which succeeds as soon as the connection +becomes available again. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index a685ce1665..97559e8e51 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,5 +1,5 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO carol::sleep 16::no output expected::NO @@ -9,5 +9,5 @@ carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::sleep 2::no output expected::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4e142d699d..0000000000 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - dpdaction=restart - dpddelay=5 - dpdtimeout=15 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf index af5fa19ef1..d42a9804c8 100644 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c54a1a35a8 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + dpd_action = restart + } + } + version = 1 + proposals = aes128-sha256-x25519 + dpd_delay = 5 + dpd_timeout = 15 + } +} diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 79db53614f..0000000000 --- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - dpdaction=clear - dpddelay=10 - dpdtimeout=45 -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b307d32b46 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + dpd_action = clear + } + } + version = 1 + proposals = aes128-sha256-x25519 + dpd_delay = 5 + dpd_timeout = 15 + } +} diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat index c6d6235f9d..ec5d4c48ad 100644 --- a/testing/tests/ikev1/dpd-restart/posttest.dat +++ b/testing/tests/ikev1/dpd-restart/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev1/dpd-restart/pretest.dat +++ b/testing/tests/ikev1/dpd-restart/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev1/dpd-restart/test.conf +++ b/testing/tests/ikev1/dpd-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/dynamic-initiator/description.txt b/testing/tests/ikev1/dynamic-initiator/description.txt old mode 100644 new mode 100755 index 319ed631d1..6a3ca98da0 --- a/testing/tests/ikev1/dynamic-initiator/description.txt +++ b/testing/tests/ikev1/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ -The peers carol and moon both have dynamic IP addresses, so that the remote end -is defined symbolically by right=<hostname>. The ipsec starter resolves the -fully-qualified hostname into the current IP address via a DNS lookup (simulated by an -/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -rightallowany=yes will allow an IKE main mode rekeying to arrive from an arbitrary -IP address under the condition that the peer identity remains unchanged. When this happens +The peers carol and moon both have dynamic IP addresses, so that the +remote_addrs field contains a Fully Qualified Domain Name (FQDN) which +is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry). +This will allow an IKE main mode rekeying to arrive from an arbitrary IP address +under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.

-In this scenario carol first initiates a tunnel to moon. After some time carol -suddenly changes her IP address and restarts the connection to moon without deleting the -old tunnel first (simulated by iptables blocking IKE packets to and from -carol and starting the connection from host dave using carol's identity). +In this scenario carol first initiates a tunnel to moon. After some +time carol suddenly changes her IP address and restarts the connection to +moon without deleting the old tunnel first (simulated by iptables blocking +IKE packets to and from carol and starting the connection from host dave +using carol's identity). diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat old mode 100644 new mode 100755 index e3549f23dd..4fc2d3f973 --- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat +++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat @@ -1,7 +1,5 @@ -carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ef0d102c0a..0000000000 --- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1c489efd04 --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ef0d102c0a..0000000000 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 6a2aea8118..0000000000 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1c489efd04 --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6ab0ea5ab3..0000000000 --- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn carol - left=%any - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%carol.strongswan.org - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0f3a95603a --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + carol { + remote_addrs = carol.strongswan.org + pools = carol_vip + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + carol { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + unique = replace + } +} + +pools { + carol_vip { + addrs = 10.3.0.1 + } +} diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat old mode 100644 new mode 100755 index 6898bd5672..784b2583a3 --- a/testing/tests/ikev1/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ -dave::ipsec stop -carol::ipsec stop -moon::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan carol::iptables-restore < /etc/iptables.flush -dave::rm /etc/ipsec.d/certs/* -dave::rm /etc/ipsec.d/private/* +dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat old mode 100644 new mode 100755 index a056e1dc92..704e1f1866 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -1,11 +1,12 @@ carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection carol carol::expect-connection moon -carol::ipsec up moon +carol::swanctl --initiate --child moon 2> /dev/null carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts dave::expect-connection moon -dave::ipsec up moon +dave::swanctl --initiate --child moon 2> /dev/null diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf old mode 100644 new mode 100755 index 164b07ff97..37c3b73e13 --- a/testing/tests/ikev1/dynamic-initiator/test.conf +++ b/testing/tests/ikev1/dynamic-initiator/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/dynamic-responder/description.txt b/testing/tests/ikev1/dynamic-responder/description.txt old mode 100644 new mode 100755 index 76471a9733..f43948dd11 --- a/testing/tests/ikev1/dynamic-responder/description.txt +++ b/testing/tests/ikev1/dynamic-responder/description.txt @@ -1,13 +1,12 @@ -The peers carol and moon both have dynamic IP addresses, so that the remote end -is defined symbolically by right=<hostname>. The ipsec starter resolves the -fully-qualified hostname into the current IP address via a DNS lookup (simulated by an -/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -rightallowany=yes will allow an IKE main mode rekeying to arrive from an arbitrary -IP address under the condition that the peer identity remains unchanged. When this happens +The peers carol and moon both have dynamic IP addresses, so that the +remote_addrs field contains a Fully Qualified Domain Name (FQDN) which +is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry). +This will allow an IKE main mode rekeying to arrive from an arbitrary IP address +under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.

In this scenario moon first initiates a tunnel to carol. After some time the responder carol suddenly changes her IP address and restarts the connection to moon without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from carol and starting the connection from host dave using -carol's identity). +carol's identity). diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat old mode 100644 new mode 100755 index e3549f23dd..377a0c281a --- a/testing/tests/ikev1/dynamic-responder/evaltest.dat +++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat @@ -1,7 +1,5 @@ -carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ef0d102c0a..0000000000 --- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1c489efd04 --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ef0d102c0a..0000000000 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 6a2aea8118..0000000000 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1c489efd04 --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6ab0ea5ab3..0000000000 --- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn carol - left=%any - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%carol.strongswan.org - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0f3a95603a --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + carol { + remote_addrs = carol.strongswan.org + pools = carol_vip + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + carol { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + unique = replace + } +} + +pools { + carol_vip { + addrs = 10.3.0.1 + } +} diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat old mode 100644 new mode 100755 index 6898bd5672..784b2583a3 --- a/testing/tests/ikev1/dynamic-responder/posttest.dat +++ b/testing/tests/ikev1/dynamic-responder/posttest.dat @@ -1,6 +1,5 @@ -dave::ipsec stop -carol::ipsec stop -moon::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan carol::iptables-restore < /etc/iptables.flush -dave::rm /etc/ipsec.d/certs/* -dave::rm /etc/ipsec.d/private/* +dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat old mode 100644 new mode 100755 index f71d69f97d..22a10caa08 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -1,13 +1,13 @@ carol::iptables-restore < /etc/iptables.rules -carol::ipsec start -dave::ipsec start -moon::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan carol::expect-connection moon moon::expect-connection carol -moon::ipsec up carol -moon::sleep 0.5 +moon::swanctl --initiate --child carol 2> /dev/null +moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts dave::expect-connection moon -dave::ipsec up moon -moon::sleep 0.5 +dave::swanctl --initiate --child moon 2> /dev/null diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf old mode 100644 new mode 100755 index 164b07ff97..37c3b73e13 --- a/testing/tests/ikev1/dynamic-responder/test.conf +++ b/testing/tests/ikev1/dynamic-responder/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt deleted file mode 100644 index 56a1c07548..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/description.txt +++ /dev/null @@ -1,15 +0,0 @@ -The peers carol, dave, and moon all have dynamic IP addresses, -so that the remote end is defined symbolically by right=%<hostname>. -The ipsec starter resolves the fully-qualified hostname into the current IP address -via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are -expected to change over time, the prefix '%' is used as an implicit alternative to the -explicit rightallowany=yes option which will allow an IKE -main mode rekeying to arrive from an arbitrary IP address under the condition that -the peer identity remains unchanged. When this happens the old tunnel is replaced -by an IPsec connection to the new origin. -

-In this scenario both carol and dave initiate a tunnel to -moon which has a named connection definition for each peer. Although -the IP addresses of both carol and dave are stale, thanks to -the '%' prefix moon will accept the IKE negotiations from the actual IP addresses. - diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat deleted file mode 100644 index 66660545e2..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ef0d102c0a..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d63566635d..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn moon - left=%any - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale deleted file mode 100644 index ebff4ec250..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale +++ /dev/null @@ -1,67 +0,0 @@ -# /etc/hosts: This file describes a number of hostname-to-address -# mappings for the TCP/IP subsystem. It is mostly -# used at boot time, when no name servers are running. -# On small systems, this file can be used instead of a -# "named" name server. Just add the names, addresses -# and any aliases to this file... -# - -127.0.0.1 localhost - -192.168.0.254 uml0.strongswan.org uml0 -10.1.0.254 uml1.strongswan.org uml1 -10.2.0.254 uml1.strongswan.org uml2 - -10.1.0.10 alice.strongswan.org alice -10.1.0.20 venus.strongswan.org venus -10.1.0.1 moon1.strongswan.org moon1 -192.168.0.1 moon.strongswan.org moon -192.168.0.110 carol.strongswan.org carol -10.3.0.1 carol1.strongswan.org carol1 -192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org -192.168.0.220 dave.strongswan.org dave -10.3.0.2 dave1.strongswan.org dave1 -192.168.0.2 sun.strongswan.org sun -10.2.0.1 sun1.strongswan.org sun1 -10.2.0.10 bob.strongswan.org bob - -# IPv6 versions of localhost and co -::1 ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -ff02::3 ip6-allhosts - -# IPv6 solicited-node multicast addresses -ff02::1:ff00:1 ip6-mcast-1 -ff02::1:ff00:2 ip6-mcast-2 -ff02::1:ff00:10 ip6-mcast-10 -ff02::1:ff00:15 ip6-mcast-15 -ff02::1:ff00:20 ip6-mcast-20 - -# IPv6 site-local addresses -fec1::10 ip6-alice.strongswan.org ip6-alice -fec1::20 ip6-venus.strongswan.org ip6-venus -fec1::1 ip6-moon1.strongswan.org ip6-moon1 -fec0::1 ip6-moon.strongswan.org ip6-moon -fec0::10 ip6-carol.strongswan.org ip6-carol -fec3::1 ip6-carol1.strongswan.org ip6-carol1 -fec0::15 ip6-winnetou.strongswan.org ip6-winnetou -fec0::20 ip6-dave.strongswan.org ip6-dave -fec3::2 ip6-dave1.strongswan.org ip6-dave1 -fec0::2 ip6-sun.strongswan.org ip6-sun -fec2::1 ip6-sun1.strongswan.org ip6-sun1 -fec2::10 ip6-bob.strongswan.org ip6-bob - -# IPv6 link-local HW derived addresses -fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus -fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice -fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 -fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon -fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol -fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou -fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave -fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun -fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 -fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 07cd49899a..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=%any - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn carol - right=%carol.strongswan.org - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add - -conn dave - right=%dave.strongswan.org - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 - auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat deleted file mode 100644 index e862b151c5..0000000000 --- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::mv /etc/hosts /etc/hosts.ori -moon::mv /etc/hosts.stale /etc/hosts -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::ipsec start -dave::ipsec start -moon::ipsec start -moon::expect-connection carol -carol::expect-connection moon -carol::ipsec up moon -dave::expect-connection moon -dave::ipsec up moon diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat deleted file mode 100644 index 4aceaa8fdc..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES -carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES -carol::ip xfrm state::aead rfc4309(ccm(aes))::YES -moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 35b96c1a42..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=aes128ccm96-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 9692b64f76..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 40251f7d93..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=aes128ccm12-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt deleted file mode 100644 index 5858267b3a..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CTR_256 / AES_XCBC_96 by defining esp=aes256ctr-aesxcbc-curve25519 in ipsec.conf. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat deleted file mode 100644 index 79ab17cf0f..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES -carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES -moon:: ip xfrm state::rfc3686(ctr(aes))::YES -carol::ip xfrm state::rfc3686(ctr(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ac835d07d7..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-curve25519! - esp=aes256ctr-aesxcbc-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 913afb404e..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5c7bbf8637..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-curve25519! - esp=aes256ctr-aesxcbc-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt deleted file mode 100644 index f112af6efd..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_GCM_16_256 by defining esp=aes256gcm16-curve25519 or alternatively -esp=aes256gcm128-curve25519 in ipsec.conf. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat deleted file mode 100644 index 25cd45941b..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES -carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES -carol::ip xfrm state::aead rfc4106(gcm(aes))::YES -moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6dddc28cf9..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-curve25519! - esp=aes256gcm128-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1d1cd4e938..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d98aaeafea..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-curve25519! - esp=aes256gcm16-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt deleted file mode 100644 index 0d5eb10152..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the authentication-only -ESP cipher suite NULL_AES_GMAC_256 by defining esp=aes256gmac-curve25519! -in ipsec.conf. A ping from carol to alice successfully checks -the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat deleted file mode 100644 index 293b5ab37d..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES -carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES -carol::ip xfrm state::aead rfc4543(gcm(aes))::YES -moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c6d77ca683..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha256-curve25519! - esp=aes256gmac-curve25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f42aad256a..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha256-curve25519! - esp=aes256gmac-curve25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt deleted file mode 100644 index 0c39352d96..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_256 / AES_XCBC_96 by defining esp=aes256-aesxcbc -in ipsec.conf. A ping from carol to alice successfully checks -the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat deleted file mode 100644 index a3f8d80c7d..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES -moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES -carol::ip xfrm state::auth-trunc xcbc(aes)::YES -moon:: ip xfrm state::auth-trunc xcbc(aes)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a653bcd77c..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha256-curve25519! - esp=aes256-aesxcbc! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c5200b0712..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3e37c3cf07..0000000000 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha256-curve25519! - esp=aes256-aesxcbc! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat deleted file mode 100644 index b80e9f781c..0000000000 --- a/testing/tests/ikev1/esp-alg-null/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES -carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES -moon:: ip xfrm state::enc ecb(cipher_null)::YES -carol::ip xfrm state::enc ecb(cipher_null)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d43629158e..0000000000 --- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=null-sha256! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c17c5815e0..0000000000 --- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-curve25519! - esp=null-sha256! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev1/esp-alg-null/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev1/host2host-ah/description.txt b/testing/tests/ikev1/host2host-ah/description.txt old mode 100644 new mode 100755 index dccdd52a42..f642038a95 --- a/testing/tests/ikev1/host2host-ah/description.txt +++ b/testing/tests/ikev1/host2host-ah/description.txt @@ -1,5 +1,6 @@ -An IPsec AH transport-mode connection using HMAC_SHA256 between the hosts -moon and sun is successfully set up using IKEv1. leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the decrypted -IP packets. In order to test the host-to-host connection moon pings -sun. +An IPsec AH transport-mode connection using HMAC_SHA256_128 between the hosts +moon and sun is set up.The authentication is based on X.509 certificates. +

+Upon the successful establishment of the AH transport connection, the updown script automatically +inserts iptables-based firewall rules that let pass the protected traffic. +In order to test the host-to-host connection moon pings sun. diff --git a/testing/tests/ikev1/host2host-ah/evaltest.dat b/testing/tests/ikev1/host2host-ah/evaltest.dat old mode 100644 new mode 100755 index 1e50ef458c..077081e9e7 --- a/testing/tests/ikev1/host2host-ah/evaltest.dat +++ b/testing/tests/ikev1/host2host-ah/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a05e5d0401..0000000000 --- a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keyexchange=ikev1 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - type=transport - ah=sha256! - auto=add diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..32a76978f7 --- a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5c61c954c0 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256 + mode = transport + + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 6851ffb5cf..0000000000 --- a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keyexchange=ikev1 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - type=transport - ah=sha256! - auto=add diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..32a76978f7 --- a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2f798b39d9 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256 + mode = transport + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev1/host2host-ah/posttest.dat b/testing/tests/ikev1/host2host-ah/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev1/host2host-ah/posttest.dat +++ b/testing/tests/ikev1/host2host-ah/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat old mode 100644 new mode 100755 index 36a8423217..f16a8d80f4 --- a/testing/tests/ikev1/host2host-ah/pretest.dat +++ b/testing/tests/ikev1/host2host-ah/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ikev1/host2host-ah/test.conf b/testing/tests/ikev1/host2host-ah/test.conf old mode 100644 new mode 100755 index 9647dc6a2a..52d886dcce --- a/testing/tests/ikev1/host2host-ah/test.conf +++ b/testing/tests/ikev1/host2host-ah/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/host2host-cert/description.txt b/testing/tests/ikev1/host2host-cert/description.txt old mode 100644 new mode 100755 index 6be21bf8f0..8f7e6e9f48 --- a/testing/tests/ikev1/host2host-cert/description.txt +++ b/testing/tests/ikev1/host2host-cert/description.txt @@ -1,4 +1,6 @@ A connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. leftfirewall=yes automatically +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat old mode 100644 new mode 100755 index e0c40ba4dc..bd76db0a5b --- a/testing/tests/ikev1/host2host-cert/evaltest.dat +++ b/testing/tests/ikev1/host2host-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e87f2070f3 --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..021872f53d --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev1/host2host-cert/posttest.dat +++ b/testing/tests/ikev1/host2host-cert/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat old mode 100644 new mode 100755 index 36a8423217..445892fc89 --- a/testing/tests/ikev1/host2host-cert/pretest.dat +++ b/testing/tests/ikev1/host2host-cert/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf old mode 100644 new mode 100755 index 55d6e9fd6a..52d886dcce --- a/testing/tests/ikev1/host2host-cert/test.conf +++ b/testing/tests/ikev1/host2host-cert/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/host2host-transport/description.txt b/testing/tests/ikev1/host2host-transport/description.txt old mode 100644 new mode 100755 index fe3482c96f..bc5a1299bd --- a/testing/tests/ikev1/host2host-transport/description.txt +++ b/testing/tests/ikev1/host2host-transport/description.txt @@ -1,4 +1,6 @@ -An IPsec transport-mode connection between the hosts moon and sun is -successfully set up. leftfirewall=yes automatically inserts iptables-based firewall -rules that let pass the decrypted IP packets. In order to test the host-to-host connection -moon pings sun. +An IPsec transport-mode connection between the hosts moon and sun +is successfully set up. The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec connection, the updown script automatically +inserts iptables-based firewall rules that let pass the protected traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat old mode 100644 new mode 100755 index 98251d12a3..352f6a5c28 --- a/testing/tests/ikev1/host2host-transport/evaltest.dat +++ b/testing/tests/ikev1/host2host-transport/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f17c99753e --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..88ddfba668 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev1/host2host-transport/posttest.dat +++ b/testing/tests/ikev1/host2host-transport/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat old mode 100644 new mode 100755 index 36a8423217..736e4690b5 --- a/testing/tests/ikev1/host2host-transport/pretest.dat +++ b/testing/tests/ikev1/host2host-transport/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null +moon::sleep 1 \ No newline at end of file diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf old mode 100644 new mode 100755 index 5a286c84fe..52d886dcce --- a/testing/tests/ikev1/host2host-transport/test.conf +++ b/testing/tests/ikev1/host2host-transport/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s.png" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/ip-pool-db/description.txt b/testing/tests/ikev1/ip-pool-db/description.txt old mode 100644 new mode 100755 index 364b96cd7e..88fe5ea9e4 --- a/testing/tests/ikev1/ip-pool-db/description.txt +++ b/testing/tests/ikev1/ip-pool-db/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv1 Mode Config payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual IP -addresses from a pool named bigpool that was created in an SQL database by the command +Both carol and dave request a virtual IP via the IKEv1 Mode Config +payload by using the vips = 0.0.0.0 parameter. moon assigns virtual IP addresses +from a pool named bigpool that was created in an SQL database by the command ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnels, carol and dave then ping the client -alice behind the gateway moon. The source IP addresses of the two pings will be the -virtual IPs carol1 and dave1, respectively. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to +test the tunnels, carol and dave then ping the client alice behind +the gateway moon. The source IP addresses of the two pings will be the virtual +IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat old mode 100644 new mode 100755 index 925e9a12f8..d6aa7265dc --- a/testing/tests/ikev1/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat @@ -1,38 +1,23 @@ -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES -moon:: cat /var/log/daemon.log::assigning virtual IP::YES -moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..886b31f9b8 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..292131157d --- /dev/null +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..886b31f9b8 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..9a29833a14 --- /dev/null +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c22405914f..31cf56d246 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici plugins { attr-sql { @@ -12,4 +16,5 @@ charon { pool { load = sqlite + database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..31c21a7348 --- /dev/null +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = big_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat old mode 100644 new mode 100755 index 37436a3d9f..b18231a2e4 --- a/testing/tests/ikev1/ip-pool-db/posttest.dat +++ b/testing/tests/ikev1/ip-pool-db/posttest.dat @@ -1,9 +1,11 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::ipsec pool --del bigpool 2> /dev/null +moon::ipsec pool --del big_pool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat old mode 100644 new mode 100755 index c422045925..448aa260df --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -1,17 +1,17 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db -moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null +moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf old mode 100644 new mode 100755 index 31820ea1a6..5554b46696 --- a/testing/tests/ikev1/ip-pool-db/test.conf +++ b/testing/tests/ikev1/ip-pool-db/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/ip-pool/description.txt b/testing/tests/ikev1/ip-pool/description.txt old mode 100644 new mode 100755 index b3f584c57d..a9291f886c --- a/testing/tests/ikev1/ip-pool/description.txt +++ b/testing/tests/ikev1/ip-pool/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv1 Mode Config payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously -increasing order. +Both carol and dave request a virtual IP via the IKEv1 Mode Config +payload by using the vips = 0.0.0.0 parameter. +moon assigns virtual IP addresses from a simple pool defined in the pools section +of swanctl.conf in a monotonously increasing order.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to +test the tunnels, carol and dave then ping the client alice behind +the gateway moon. The source IP addresses of the two pings will be the virtual +IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat old mode 100644 new mode 100755 index c558592910..b853d709b3 --- a/testing/tests/ikev1/ip-pool/evaltest.dat +++ b/testing/tests/ikev1/ip-pool/evaltest.dat @@ -1,30 +1,17 @@ -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES -moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon:: cat /var/log/daemon.log::assigning virtual IP::YES -moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES -moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES -moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..292131157d --- /dev/null +++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..9a29833a14 --- /dev/null +++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6b5765bed4 --- /dev/null +++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat old mode 100644 new mode 100755 index b757d8b152..eb21008563 --- a/testing/tests/ikev1/ip-pool/posttest.dat +++ b/testing/tests/ikev1/ip-pool/posttest.dat @@ -1,6 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev1/ip-pool/pretest.dat +++ b/testing/tests/ikev1/ip-pool/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev1/ip-pool/test.conf +++ b/testing/tests/ikev1/ip-pool/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat deleted file mode 100644 index 03426ac445..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8421527139..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - rightsubnet=PH_IP_ALICE/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 953fa18ffa..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn venus - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 998fa3f8fc..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=PH_IP_CAROL - rightid=carol@strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=PH_IP_DAVE - rightid=dave@strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat deleted file mode 100644 index 24cd041ed2..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat deleted file mode 100644 index 1476785df7..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::expect-connection alice -dave::expect-connection venus -moon::expect-connection venus -moon::ipsec up alice -moon::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt deleted file mode 100644 index 06f9f6b917..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The VPN gateway moon grants access to the hosts alice and -venus to anyone presenting a certificate belonging to a trust chain anchored -in the strongSwan Root CA. The hosts carol and dave have certificates from -the intermediate Research CA and Sales CA, respectively. Responder moon does not possess -copies of the Research and Sales CA certificates and must therefore request them from -the initiators carol and dave, respectively. diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat deleted file mode 100644 index dcd271772e..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 43cbb47f63..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 0cef26c6c6..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_DAVE - leftcert=daveCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f6224edfb0..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat deleted file mode 100644 index 24cd041ed2..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat deleted file mode 100644 index 4bc6a0e5ef..0000000000 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection venus -carol::expect-connection alice -carol::ipsec up alice -dave::expect-connection venus -dave::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat deleted file mode 100644 index ede771fb66..0000000000 --- a/testing/tests/ikev1/multi-level-ca/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES -carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO -moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES -dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES -dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 09dfafce61..0000000000 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8f1609e5ee..0000000000 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_DAVE - leftcert=daveCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ec4585411a..0000000000 --- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/ikev1/multi-level-ca/posttest.dat b/testing/tests/ikev1/multi-level-ca/posttest.dat deleted file mode 100644 index 1646d5ed2f..0000000000 --- a/testing/tests/ikev1/multi-level-ca/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat deleted file mode 100644 index 81b30701da..0000000000 --- a/testing/tests/ikev1/multi-level-ca/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection venus -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev1/multi-level-ca/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/nat-rw/description.txt b/testing/tests/ikev1/nat-rw/description.txt index dcf4b94bd6..1ee91b74dd 100644 --- a/testing/tests/ikev1/nat-rw/description.txt +++ b/testing/tests/ikev1/nat-rw/description.txt @@ -1,5 +1,8 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. -leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus +Authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat index 2d265b0d13..ce6cebf3bb 100644 --- a/testing/tests/ikev1/nat-rw/evaltest.dat +++ b/testing/tests/ikev1/nat-rw/evaltest.dat @@ -1,16 +1,12 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon:: sleep 6::no output expected::NO bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf index 9d07c88e40..fd9bf8c7cc 100644 --- a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..8f1eec2266 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.10 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf index 93f4345989..7625e5066e 100644 --- a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2f3aee40cd --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf index 9d07c88e40..fd9bf8c7cc 100644 --- a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e0f7810e84 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.20 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat index bc7d237710..5f390cd62c 100644 --- a/testing/tests/ikev1/nat-rw/posttest.dat +++ b/testing/tests/ikev1/nat-rw/posttest.dat @@ -1,6 +1,6 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +sun::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat index 36d23b5704..a1f1cffea7 100644 --- a/testing/tests/ikev1/nat-rw/pretest.dat +++ b/testing/tests/ikev1/nat-rw/pretest.dat @@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::ipsec start -alice::ipsec start -venus::ipsec start +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan sun::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t venus::expect-connection nat-t -venus::ipsec up nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf index f515d4bc73..ecc95b8375 100644 --- a/testing/tests/ikev1/nat-rw/test.conf +++ b/testing/tests/ikev1/nat-rw/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt old mode 100644 new mode 100755 index 31d24cda67..3d13a29267 --- a/testing/tests/ikev1/nat-virtual-ip/description.txt +++ b/testing/tests/ikev1/nat-virtual-ip/description.txt @@ -1,6 +1,6 @@ The router moon sets up a connection to gateway sun in order to reach the subnet hidden behind sun. The gateway sun assigns a -virtual IP address to router moon. A special updown script on moon -specified by leftupdown=/etc/nat_updown dynamically inserts a source NAT rule -which maps the IP address of client alice to the virtual IP of moon. -This allows alice to access client bob via the established IPsec tunnel. +virtual IP address to router moon. A special nat_updown script on moon +dynamically inserts a source NAT rule which maps the IP address of client alice to +the virtual IP of moon. This allows alice to access client bob via the +established IPsec tunnel. diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat old mode 100644 new mode 100755 index d4910ea678..1d3b87851b --- a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat @@ -1,5 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.4.0.1/32]::YES moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 28853ce758..0000000000 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsourceip=%config - leftupdown=/etc/nat_updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown index b21e724ef7..a3c6802577 100755 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -13,7 +13,6 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6dcbf8ab9d --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + remote_ts = 10.2.0.0/16 + + updown = /etc/nat_updown + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf deleted file mode 100644 index ff030b5b5c..0000000000 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsourceip=10.4.0.0/24 - auto=add diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ae2e1a8e54 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.4.0.0/24 + } +} diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat old mode 100644 new mode 100755 index b9fbde7cb7..131a3c2b14 --- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/nat_updown diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf old mode 100644 new mode 100755 index f46f137b40..6fc02816b7 --- a/testing/tests/ikev1/nat-virtual-ip/test.conf +++ b/testing/tests/ikev1/nat-virtual-ip/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun bob" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun bob" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-ah/description.txt b/testing/tests/ikev1/net2net-ah/description.txt old mode 100644 new mode 100755 index fbe4a777d2..18626d08e8 --- a/testing/tests/ikev1/net2net-ah/description.txt +++ b/testing/tests/ikev1/net2net-ah/description.txt @@ -1,8 +1,9 @@ -A connection between the subnets behind the gateways moon and sun -is set up using the IKEv1 protocol. -With ah=sha1,sha256! gateway moon proposes the use of AH. -Gateway sun selects SHA2_256_128 for integrity protection with its -ah=sha256! configuration. +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates. With ah=sha256-sha384 +gateway moon proposes the use of AH. Gateway sun selects HMAC_SHA2_256_128 +for integrity protection with its ah=sha256 configuration.

-Upon the successful establishment of the AH CHILD SA, client alice behind -gateway moon pings client bob located behind gateway sun. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-ah/evaltest.dat b/testing/tests/ikev1/net2net-ah/evaltest.dat old mode 100644 new mode 100755 index 34a1cde9a2..1c5edfb2ef --- a/testing/tests/ikev1/net2net-ah/evaltest.dat +++ b/testing/tests/ikev1/net2net-ah/evaltest.dat @@ -1,11 +1,5 @@ -sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES -sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES -moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES -sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0ddecec94c..0000000000 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - keyexchange=ikev1 - ike=aes128-sha256-modp3072! - ah=sha1,sha256! - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 7e78d0431e..32a76978f7 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 3 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6e3f0dad79 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256-sha384 + + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 40327a9ecb..0000000000 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - keyexchange=ikev1 - ike=aes128-sha256-modp3072! - ah=sha256! - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 7e78d0431e..32a76978f7 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 3 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e20b202d9d --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev1/net2net-ah/posttest.dat b/testing/tests/ikev1/net2net-ah/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev1/net2net-ah/posttest.dat +++ b/testing/tests/ikev1/net2net-ah/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev1/net2net-ah/pretest.dat +++ b/testing/tests/ikev1/net2net-ah/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/net2net-ah/test.conf b/testing/tests/ikev1/net2net-ah/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev1/net2net-ah/test.conf +++ b/testing/tests/ikev1/net2net-ah/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-cert/description.txt b/testing/tests/ikev1/net2net-cert/description.txt old mode 100644 new mode 100755 index 7eea9192f7..b00bf17cc2 --- a/testing/tests/ikev1/net2net-cert/description.txt +++ b/testing/tests/ikev1/net2net-cert/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat old mode 100644 new mode 100755 index fe4aa5ab10..e3aeec4929 --- a/testing/tests/ikev1/net2net-cert/evaltest.dat +++ b/testing/tests/ikev1/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f077e5c553 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6053f8cdae --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..cc6a5bff73 --- a/testing/tests/ikev1/net2net-cert/posttest.dat +++ b/testing/tests/ikev1/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev1/net2net-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev1/net2net-cert/test.conf +++ b/testing/tests/ikev1/net2net-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-esn/description.txt b/testing/tests/ikev1/net2net-esn/description.txt old mode 100644 new mode 100755 index 6318c55c66..35c8ba8dec --- a/testing/tests/ikev1/net2net-esn/description.txt +++ b/testing/tests/ikev1/net2net-esn/description.txt @@ -1,7 +1,10 @@ A connection between the subnets behind the gateways moon and sun is set up. -With esp=aes128-sha256-esn! gateway moon proposes the use of -Extended Sequence Numbers. Gateway sun defines esp=aes128-sha256-esn-noesn!, -accepting proposals with and without ESN. +With esp=aes128gcm128-esn-noesn-x25519 gateway moon proposes the use of +Extended Sequence Numbers but can also live without them. Gateway sun +defines esp=aes128gcm128-esn-x25519 and thus decides on the use of ESN. +The authentication is based on X.509 certificates.

-Upon the successful establishment of the CHILD SA with ESN, client alice behind -gateway moon pings client bob located behind gateway sun 10 times. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-esn/evaltest.dat b/testing/tests/ikev1/net2net-esn/evaltest.dat old mode 100644 new mode 100755 index 8fa6893fdc..bc19872fe9 --- a/testing/tests/ikev1/net2net-esn/evaltest.dat +++ b/testing/tests/ikev1/net2net-esn/evaltest.dat @@ -1,17 +1,7 @@ -sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES -sun:: cat /var/log/daemon.log::configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES -sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES -sun:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 esn=1.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 esn=1.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES -sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES - diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6c4ad62fcb..0000000000 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp3072! - esp=aes128-sha256-esn! - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..ad4c18e437 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4a989e4eaa --- /dev/null +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-esn-noesn-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 1bf040c214..0000000000 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp3072! - esp=aes128-sha256-esn-noesn! - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..ad4c18e437 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..68fa3495cf --- /dev/null +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-esn-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/net2net-esn/posttest.dat b/testing/tests/ikev1/net2net-esn/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..cc6a5bff73 --- a/testing/tests/ikev1/net2net-esn/posttest.dat +++ b/testing/tests/ikev1/net2net-esn/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev1/net2net-esn/pretest.dat b/testing/tests/ikev1/net2net-esn/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev1/net2net-esn/pretest.dat +++ b/testing/tests/ikev1/net2net-esn/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/net2net-esn/test.conf b/testing/tests/ikev1/net2net-esn/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev1/net2net-esn/test.conf +++ b/testing/tests/ikev1/net2net-esn/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat deleted file mode 100644 index 45e76c1550..0000000000 --- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES -sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES -moon::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES -moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES -moon::cat /var/log/daemon.log::received fragment #2, reassembled fragmented IKE message::YES -sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES -sun::cat /var/log/daemon.log::received fragment #2, reassembled fragmented IKE message::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf deleted file mode 100644 index cdd4304083..0000000000 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 448525bf7a..0000000000 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-ntru-cert/description.txt b/testing/tests/ikev1/net2net-ntru-cert/description.txt deleted file mode 100644 index 638a671108..0000000000 --- a/testing/tests/ikev1/net2net-ntru-cert/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The key exchange is based on NTRU encryption with a security strength of 256 bits. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a725ea7da8..0000000000 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-ntru256! - esp=aes256-sha512! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a7098feb3..0000000000 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown - - multiple_authentication = no - send_vendor_id = yes - - syslog { - daemon { - ike = 4 - lib = 4 - } - } - plugins { - ntru { - parameter_set = optimum - } - } -} diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 5cadaccc97..0000000000 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha512-ntru256! - esp=aes256-sha512! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 908adcb252..0000000000 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown - - multiple_authentication = no - send_vendor_id = yes - syslog { - daemon { - ike = 4 - lib = 4 - } - } -} diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt old mode 100644 new mode 100755 index 688182be42..d41b2c9540 --- a/testing/tests/ikev1/net2net-psk-fail/description.txt +++ b/testing/tests/ikev1/net2net-psk-fail/description.txt @@ -1,5 +1,4 @@ A connection between the gateways moon and sun is set up. The authentication is based on Preshared Keys (PSK), but gateway moon -uses a wrong PSK. This makes it impossible for gateway sun to decrypt the -IKEv1 message correctly. Thus sun returns a PAYLOAD-MALFORMED error -notify which in turn cannot be decrypted by moon. +uses a wrong PSK. Therefore the connection setup is aborted by gateway sun +by sending an AUTHENTICATION_FAILED notify error. diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat old mode 100644 new mode 100755 index 36ad061ac0..5a501cb02e --- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat @@ -2,7 +2,5 @@ sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed:: sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5917bab810..0000000000 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=secret - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 38ebf966c0..0000000000 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,4 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx - diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..359fb57bb4 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike { + id-1 = moon.strongswan.org + id-2 = sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 8fe02b10b8..0000000000 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=secret - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e4a4dbba57 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = sun.strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike { + id-1 = moon.strongswan.org + id-2 =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..82a2de139d --- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat old mode 100644 new mode 100755 index c7e2c61623..e935b95d5d --- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf old mode 100644 new mode 100755 index eb4822b5d3..07a3b247a1 --- a/testing/tests/ikev1/net2net-psk-fail/test.conf +++ b/testing/tests/ikev1/net2net-psk-fail/test.conf @@ -5,17 +5,21 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon winnetou sun" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # -DIAGRAM="m-w-s.png" - +DIAGRAM="a-m-w-s-b.png" + # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="" +TCPDUMPHOSTS="sun" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-psk/description.txt b/testing/tests/ikev1/net2net-psk/description.txt old mode 100644 new mode 100755 index 02cddbb83f..e064a99deb --- a/testing/tests/ikev1/net2net-psk/description.txt +++ b/testing/tests/ikev1/net2net-psk/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on Preshared Keys (PSK). Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +The authentication is based on Preshared Keys (PSK). +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat old mode 100644 new mode 100755 index fe4aa5ab10..e3aeec4929 --- a/testing/tests/ikev1/net2net-psk/evaltest.dat +++ b/testing/tests/ikev1/net2net-psk/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..ad4c18e437 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..862b5d8345 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,54 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-1 = moon.strongswan.org + secret = 0x45a30759df97dc26a15b88ff + } + ike-2 { + id-2 = sun.strongswan.org + secret = "This is a strong password" + } + ike-3 { + id-3a = moon.strongswan.org + id-3b =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + ike-4 { + secret = 'My "home" is my "castle"!' + } + ike-5 { + id-5 = 192.168.0.1 + secret = "Andi's home" + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..ad4c18e437 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..94feee928b --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = sun.strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-moon = moon.strongswan.org + id-sun =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev1/net2net-psk/posttest.dat +++ b/testing/tests/ikev1/net2net-psk/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat old mode 100644 new mode 100755 index c7e2c61623..e935b95d5d --- a/testing/tests/ikev1/net2net-psk/pretest.dat +++ b/testing/tests/ikev1/net2net-psk/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev1/net2net-psk/test.conf +++ b/testing/tests/ikev1/net2net-psk/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/protoport-dual/description.txt b/testing/tests/ikev1/protoport-dual/description.txt index 7bed8b9590..a93abf119e 100644 --- a/testing/tests/ikev1/protoport-dual/description.txt +++ b/testing/tests/ikev1/protoport-dual/description.txt @@ -1,6 +1,8 @@ -Using the left|rightprotoport selectors, two IPsec tunnels -between the roadwarrior carol and the gateway moon are -defined. The first IPsec SA is restricted to ICMP packets and the second -covers TCP-based SSH connections. The established tunnels are tested -by carol by first pinging alice behind moon and -then setting up an SSH session to the same client. +Using [<protocol>/<port>] selectors in the +local_ts and remote_ts child parameters, two IPsec tunnels +between the roadwarrior carol and the gateway moon are defined. +The first CHILD_SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. +

+The established tunnels are tested by carol by first pinging alice +behind moon and then setting up an SSH session to the same client. diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat index 7d367e3c15..226f8f823c 100644 --- a/testing/tests/ikev1/protoport-dual/evaltest.dat +++ b/testing/tests/ikev1/protoport-dual/evaltest.dat @@ -1,9 +1,7 @@ -carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf index af5fa19ef1..91e32f7ba4 100644 --- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5152031095 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + icmp { + local_ts = dynamic[icmp] + remote_ts = 10.1.0.0/16[icmp] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + ssh { + local_ts = dynamic[tcp] + remote_ts = 10.1.0.0/16[tcp/ssh] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7d96657f02 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + icmp { + local_ts = 10.1.0.0/16[icmp] + remote_ts = dynamic[icmp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + ssh { + local_ts = 10.1.0.0/16[tcp/ssh] + remote_ts = dynamic[tcp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev1/protoport-dual/posttest.dat +++ b/testing/tests/ikev1/protoport-dual/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat index 02f4aa82be..f0563179c1 100644 --- a/testing/tests/ikev1/protoport-dual/pretest.dat +++ b/testing/tests/ikev1/protoport-dual/pretest.dat @@ -1,10 +1,10 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-icmp -moon::expect-connection rw-ssh -carol::expect-connection home-icmp -carol::expect-connection home-ssh -carol::ipsec up home-icmp -carol::ipsec up home-ssh +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection icmp +moon::expect-connection ssh +carol::expect-connection icmp +carol::expect-connection ssh +carol::swanctl --initiate --child icmp 2> /dev/null +carol::swanctl --initiate --child ssh 2> /dev/null diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf index 4a5fc470f0..307c7e9cc7 100644 --- a/testing/tests/ikev1/protoport-dual/test.conf +++ b/testing/tests/ikev1/protoport-dual/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/rw-cert-aggressive/description.txt b/testing/tests/ikev1/rw-cert-aggressive/description.txt old mode 100644 new mode 100755 index 1c4535c234..24739f82dc --- a/testing/tests/ikev1/rw-cert-aggressive/description.txt +++ b/testing/tests/ikev1/rw-cert-aggressive/description.txt @@ -1,7 +1,8 @@ -The roadwarriors carol and dave set up a connection each +he roadwarriors carol and dave set up a connection each to gateway moon using IKEv1 Aggressive Mode. The authentication is -based on X.509 certificates. Upon the successful establishment of the IPsec -tunnels, leftfirewall=yes automatically inserts iptables-based firewall -rules that let pass the tunneled traffic. In order to test both tunnel and -firewall, both carol and dave ping the client alice behind -the gateway moon. +based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat old mode 100644 new mode 100755 index be78c51259..0876d5b910 --- a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat +++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat @@ -1,15 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf deleted file mode 100644 index afa1641c53..0000000000 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index cf4c1eba4b..ad4c18e437 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - syslog { - daemon { - job = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f69cf2be35 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 51a2e57585..0000000000 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index f09c279027..ad4c18e437 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - syslog { - daemon { - job = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..dde611ade3 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 49d0909a52..0000000000 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..cba188e667 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat +++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-cert-aggressive/test.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/rw-cert-unity/description.txt b/testing/tests/ikev1/rw-cert-unity/description.txt index 5e887c7f4f..c33fbbcaa4 100644 --- a/testing/tests/ikev1/rw-cert-unity/description.txt +++ b/testing/tests/ikev1/rw-cert-unity/description.txt @@ -1,6 +1,8 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on X.509 certificates. carol -requests a virtual IP using leftsourceip=%config and indicates +requests a virtual IP using the vips = 0.0.0.0 parameter and indicates support for the Cisco Unity extension. Gateway moon responds with -two Split-Include subnets configured in the leftsubnet definition and a +two Split-Include subnets configured in the local_ts definition and a global Local-LAN exclude option defined in strongswan.conf. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat index ff13f5f0df..967cca10d3 100644 --- a/testing/tests/ikev1/rw-cert-unity/evaltest.dat +++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat @@ -1,8 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES -carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::cat /var/log/daemon.log::received Cisco Unity vendor ID::YES +moon::cat /var/log/daemon.log::sending UNITY_SPLIT_INCLUDE: 10.1.0.0/16 10.2.1.0/24::YES +carol::cat /var/log/daemon.log::received Cisco Unity vendor ID::YES +carol::cat /var/log/daemon.log::narrowed CHILD_SA to UNITY_SPLIT_INCLUDE 10.1.0.0/16 10.2.1.0/24::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.2.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.1.1/32] remote-ts=\[10.1.0.0/16 10.2.1.0/24]::YES +carol::swanctl --list-pols --raw 2> /dev/null::unity/Unity (home\[1]: 192.168.0.0/24).*child=Unity (home\[1]: 192.168.0.0/24) ike=unity mode=PASS local-ts=\[192.168.0.100/32 10.2.1.1/32] remote-ts=\[192.168.0.0/24::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.2.1.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 10.2.1.0/24] remote-ts=\[10.2.1.1/32]::YES +carol::ping -c 1 10.1.0.10::64 bytes from 10.1.0.10: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bad62811bd..0000000000 --- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf index 5df879c6b0..c1da276ad3 100644 --- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default unity + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default unity + cisco_unity = yes } diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..38561d934f --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0.0.0.0/0 + esp_proposals =aes128gcm16-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ee8ee9093c..0000000000 --- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16,10.2.1.0/24 - right=%any - rightsourceip=10.2.1.0/24 - auto=add diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf index b925166b93..62bd0dd070 100644 --- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default attr unity - cisco_unity = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default attr unity + cisco_unity = yes plugins { attr { split-exclude = 192.168.0.0/24 diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f18f3107f1 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16,10.2.1.0/24 + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.2.1.0/24 + } +} diff --git a/testing/tests/ikev1/rw-cert-unity/posttest.dat b/testing/tests/ikev1/rw-cert-unity/posttest.dat index c6d6235f9d..ec5d4c48ad 100644 --- a/testing/tests/ikev1/rw-cert-unity/posttest.dat +++ b/testing/tests/ikev1/rw-cert-unity/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev1/rw-cert-unity/pretest.dat +++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf index 09e6f6cdbf..307c7e9cc7 100644 --- a/testing/tests/ikev1/rw-cert-unity/test.conf +++ b/testing/tests/ikev1/rw-cert-unity/test.conf @@ -9,7 +9,7 @@ VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt old mode 100644 new mode 100755 index 15b3822b5c..f190c07527 --- a/testing/tests/ikev1/rw-cert/description.txt +++ b/testing/tests/ikev1/rw-cert/description.txt @@ -1,6 +1,7 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat old mode 100644 new mode 100755 index be78c51259..0c1525f0a9 --- a/testing/tests/ikev1/rw-cert/evaltest.dat +++ b/testing/tests/ikev1/rw-cert/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 57498d592d..aeb1b75422 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown - - integrity_test = yes +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - crypto_test { - on_add = yes - } +charon-systemd { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c357054f71 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 57498d592d..aeb1b75422 --- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown - - integrity_test = yes +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - crypto_test { - on_add = yes - } +charon-systemd { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..05fc9ae43f --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 57498d592d..f12797e715 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..91d8af3699 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/rw-cert/posttest.dat +++ b/testing/tests/ikev1/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev1/rw-cert/pretest.dat +++ b/testing/tests/ikev1/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-cert/test.conf +++ b/testing/tests/ikev1/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt old mode 100644 new mode 100755 index 4780041626..d8ad8b7f98 --- a/testing/tests/ikev1/rw-initiator-only/description.txt +++ b/testing/tests/ikev1/rw-initiator-only/description.txt @@ -4,7 +4,7 @@ she ignores the repeated IKE requests sent by dave.

After the failed connection attempt by dave, roadwarrior carol sets up a connection to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, carol pings the client alice behind -the gateway moon. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, carol pings the client alice +behind the gateway moon. diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat old mode 100644 new mode 100755 index c5dc4a0a69..5662ec52aa --- a/testing/tests/ikev1/rw-initiator-only/evaltest.dat +++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat @@ -1,8 +1,6 @@ dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 58914391c9..0000000000 --- a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index ff775e5f9a..7bb3ff7263 --- a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici initiator_only = yes } diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..9825cb083c --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b262ecbeae..0000000000 --- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index c58fdbcd75..ad4c18e437 --- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bb983cdf45 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + peer { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = carol@strongswan.org + } + children { + peer { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4c5df88257..0000000000 --- a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c58fdbcd75..ad4c18e437 --- a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..91d8af3699 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..e5c82ef20d --- a/testing/tests/ikev1/rw-initiator-only/posttest.dat +++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat old mode 100644 new mode 100755 index 9317b0f702..71675c49e4 --- a/testing/tests/ikev1/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -dave::expect-connection peer -dave::ipsec up peer +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw +dave::expect-connection peer +dave::swanctl --initiate --child peer 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-initiator-only/test.conf +++ b/testing/tests/ikev1/rw-initiator-only/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/description.txt b/testing/tests/ikev1/rw-multi-ciphers/description.txt similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/description.txt rename to testing/tests/ikev1/rw-multi-ciphers/description.txt diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat b/testing/tests/ikev1/rw-multi-ciphers/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat rename to testing/tests/ikev1/rw-multi-ciphers/evaltest.dat diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/ikev1/rw-multi-ciphers/posttest.dat similarity index 100% rename from testing/tests/swanctl/config-payload/posttest.dat rename to testing/tests/ikev1/rw-multi-ciphers/posttest.dat diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat b/testing/tests/ikev1/rw-multi-ciphers/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat rename to testing/tests/ikev1/rw-multi-ciphers/pretest.dat diff --git a/testing/tests/swanctl/manual-prio/test.conf b/testing/tests/ikev1/rw-multi-ciphers/test.conf similarity index 100% rename from testing/tests/swanctl/manual-prio/test.conf rename to testing/tests/ikev1/rw-multi-ciphers/test.conf diff --git a/testing/tests/ikev1/rw-ntru-psk/description.txt b/testing/tests/ikev1/rw-ntru-psk/description.txt deleted file mode 100644 index 40cdd18e37..0000000000 --- a/testing/tests/ikev1/rw-ntru-psk/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and -192 bit for carol and dave, respectively. Authentication is based on strong -preshared keys (PSKs). -Both carol and dave request a virtual IP via the IKEv1 mode-config payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously -increasing order. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 315aa10731..0000000000 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ntru128! - esp=aes128-sha256! - authby=psk - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf deleted file mode 100644 index c168b51b2a..0000000000 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ntru192! - esp=aes192-sha384! - authby=psk - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2194db5829..0000000000 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ntru128,aes192-sha384-ntru192! - esp=aes128-sha256,aes192-sha384! - authby=psk - -conn rw-carol - also=rw - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add - -conn rw-dave - also=rw - right=PH_IP_DAVE - rightid=dave@strongswan.org - auto=add - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=moon.strongswan.org - leftfirewall=yes - rightsourceip=10.3.0.0/28 diff --git a/testing/tests/ikev1/rw-psk-aggressive/description.txt b/testing/tests/ikev1/rw-psk-aggressive/description.txt old mode 100644 new mode 100755 index 32a476ee84..0602b4186a --- a/testing/tests/ikev1/rw-psk-aggressive/description.txt +++ b/testing/tests/ikev1/rw-psk-aggressive/description.txt @@ -1,7 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon using IKEv1 Aggressive Mode. The authentication is based on distinct pre-shared keys and Fully Qualified Domain Names. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping the -client alice behind the gateway moon. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat old mode 100644 new mode 100755 index 849d59a4e3..0876d5b910 --- a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat @@ -1,14 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf deleted file mode 100644 index fe086b8d59..0000000000 --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - aggressive=yes - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bb9dbb01a9 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf deleted file mode 100644 index df28872635..0000000000 --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - aggressive=yes - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5282f42a89 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf deleted file mode 100644 index cb8a0cd784..0000000000 --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - aggressive=yes - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index bcafd86ba4..cdab41d206 --- a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici i_dont_care_about_security_and_use_aggressive_mode_psk = yes } diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..487160b69b --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat old mode 100644 new mode 100755 index ee5bc7c721..b0d3b6160f --- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat @@ -1,14 +1,15 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-psk-aggressive/test.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt old mode 100644 new mode 100755 index 47f6968ae7..237e2ce42a --- a/testing/tests/ikev1/rw-psk-fqdn/description.txt +++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt @@ -1,6 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on distinct pre-shared keys -and Fully Qualified Domain Names. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both +and Fully Qualified Domain Names. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat old mode 100644 new mode 100755 index 4dfc92fe8b..c2d2af12d5 --- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..56a6c00030 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + secret = 0x16964066a10de938bdb2ab7864fe4459cab1 + } +} + diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6855999f37 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e3dd0fba3a..0000000000 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -@moon.strongswan.org dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2cab3d6566 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,62 @@ +connections { + + rw-carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = carol@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } + + rw-dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = dave@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat old mode 100644 new mode 100755 index 0fb389dabf..b0d3b6160f --- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat @@ -1,15 +1,15 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-psk-fqdn/test.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/ikev1/rw-psk-ip-ranges/description.txt similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/description.txt rename to testing/tests/ikev1/rw-psk-ip-ranges/description.txt diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/evaltest.dat rename to testing/tests/ikev1/rw-psk-ip-ranges/evaltest.dat diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/posttest.dat similarity index 100% rename from testing/tests/swanctl/ip-pool/posttest.dat rename to testing/tests/ikev1/rw-psk-ip-ranges/posttest.dat diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/ikev1/rw-psk-ip-ranges/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/pretest.dat rename to testing/tests/ikev1/rw-psk-ip-ranges/pretest.dat diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf b/testing/tests/ikev1/rw-psk-ip-ranges/test.conf old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf rename to testing/tests/ikev1/rw-psk-ip-ranges/test.conf diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt old mode 100644 new mode 100755 index b4aaa6a6a7..5faf171f8b --- a/testing/tests/ikev1/rw-psk-ipv4/description.txt +++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt @@ -1,6 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on distinct pre-shared keys -and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both +and IPv4 addresses. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat old mode 100644 new mode 100755 index 4e08d5979f..75a1741227 --- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..3f3e98da45 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = 192.168.0.100 + } + remote { + auth = psk + id = 192.168.0.1 + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..df4ccba070 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = 192.168.0.200 + } + remote { + auth = psk + id = 192.168.0.1 + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..0325fe9a27 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..eb593da4f3 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,58 @@ +connections { + + rw-carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = psk + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } + + rw-dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = psk + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = 192.168.0.100 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = 192.168.0.200 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat old mode 100644 new mode 100755 index 0fb389dabf..b0d3b6160f --- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat @@ -1,15 +1,15 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/rw-psk-ipv4/test.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-id-psk-config/description.txt b/testing/tests/ikev1/xauth-id-psk-config/description.txt old mode 100644 new mode 100755 index fc417e416c..1f202a29fc --- a/testing/tests/ikev1/xauth-id-psk-config/description.txt +++ b/testing/tests/ikev1/xauth-id-psk-config/description.txt @@ -1,11 +1,11 @@ The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on Pre-Shared Keys (PSK) -followed by extended authentication (XAUTH) of carol and dave -based on user names and passwords. Next carol and dave request a -virtual IP via the IKE Mode Config protocol by using the leftsourceip=%config -parameter. The virtual IP addresses are registered under the users' XAUTH identity. +The authentication is based on Pre-Shared Keys (PSK) followed by extended +authentication (XAUTH) of carol and dave based on user names and passwords. +Next carol and dave request a virtual IP via the IKEv1 Mode Config protocol +by using the vips = 0.0.0.0 parameter. +The virtual IP addresses are registered under the users' XAUTH identity.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat old mode 100644 new mode 100755 index 210072e86c..389b3a4af9 --- a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat @@ -1,11 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES @@ -18,7 +14,3 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index d6dcd99d02..d274a8195c --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..257267d52e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,42 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local-psk { + auth = psk + id = carol@strongswan.org + } + local-xauth { + auth = xauth + xauth_id = carol + } + remote-psk { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth { + id = carol + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index d6dcd99d02..d274a8195c --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5321a9004d --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,42 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local-psk { + auth = psk + id = dave@strongswan.org + } + local-xauth { + auth = xauth + xauth_id = dave + } + remote-rsa { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth { + id = dave + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 4f0b4be879..d274a8195c --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - dns1 = 192.168.0.150 - dns2 = 10.1.0.20 +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1ad6a276b2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,54 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol-vip + + remote-psk { + auth = psk + id = carol@strongswan.org + } + remote-xauth { + auth = xauth + xauth_id = carol + } + } + + rw-dave { + include swanctl_base.conf + pools = dave-vip + + remote-rsa { + auth = psk + id = dave@strongswan.org + } + remote-xauth { + auth = xauth + xauth_id = dave + } + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth-carol { + id = carol + secret = 4iChxLT3 + } + xauth-dave { + id = dave + secret = ryftzG4A + } +} + +pools { + carol-vip { + addrs = 10.3.0.1 + } + dave-vip { + addrs = 10.3.0.2 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100644 index 0000000000..649b527dfe --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,16 @@ + local_addrs = 192.168.0.1 + + local-psk { + auth = psk + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat old mode 100644 new mode 100755 index b757d8b152..eb21008563 --- a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat @@ -1,6 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat old mode 100644 new mode 100755 index ee5bc7c721..dc7b5f7ed7 --- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat @@ -1,14 +1,16 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf old mode 100644 new mode 100755 index 9b1ec0b545..1227b9d1c0 --- a/testing/tests/ikev1/xauth-id-psk-config/test.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="alice moon" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt old mode 100644 new mode 100755 index 90209c2669..f8016c44d2 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt @@ -1,11 +1,10 @@ -The roadwarriors carol and dave set up a connection to gateway moon -using IKEv1 Aggressive Mode. -The authentication is based on RSA signatures (RSASIG) using X.509 certificates -followed by extended authentication (XAUTH) of carol and dave -based on user names defined by the xauth_identity parameter (carol and dave, -respectively) and corresponding user passwords defined and stored in ipsec.secrets. +he roadwarriors carol and dave set up a connection to gateway moon +using IKEv1 Aggressive Mode. The authentication is based on RSA signatures +using X.509 certificates followed by extended authentication (XAUTH) of +carol and dave based on user names defined by the xauth_identity +and corresponding user passwords defined and stored in ipsec.secrets.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat old mode 100644 new mode 100755 index b482ddba38..10326fc149 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat @@ -1,11 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +dave:: cat /var/log/daemon.log::initiating Aggressive Mode IKE_SA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 09308efad8..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=pubkey - leftauth2=xauth - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightauth=pubkey - xauth_identity=carol - auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..734689a6ab --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-xauth { + auth = xauth + xauth_id = carol + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = carol + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8cc9f68dc8..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftauth=pubkey - leftauth2=xauth - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightauth=pubkey - xauth_identity=dave - auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6a49294721 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + local-xauth { + auth = xauth + xauth_id = dave + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = dave + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2a27145c8f..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - aggressive=yes - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftauth=pubkey - leftfirewall=yes - right=%any - rightauth=pubkey - rightauth2=xauth - auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf similarity index 62% rename from testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf index f71bea1d1a..8addb191be 100755 --- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/swanctl/swanctl.conf @@ -3,27 +3,28 @@ connections { rw { local_addrs = 192.168.0.1 - local { + local-rsa { auth = pubkey certs = moonCert.pem id = moon.strongswan.org } - remote { + remote-rsa { auth = pubkey } remote-xauth { auth = xauth - } + } children { net { - local_ts = 10.1.0.0/16 + local_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm128-modp3072 + esp_proposals = aes128gcm128-x25519 } } - version = 1 - proposals = aes128-sha256-modp3072 + version = 1 + aggressive = yes + proposals = aes128-sha256-x25519 } } @@ -31,10 +32,10 @@ secrets { xauth-carol { id = carol - secret = "4iChxLT3" + secret = 4iChxLT3 } xauth-dave { id = dave - secret = "ryftzG4A" + secret = ryftzG4A } -} +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-id-rsa-config/description.txt b/testing/tests/ikev1/xauth-id-rsa-config/description.txt old mode 100644 new mode 100755 index feb154d49d..91b595fb7c --- a/testing/tests/ikev1/xauth-id-rsa-config/description.txt +++ b/testing/tests/ikev1/xauth-id-rsa-config/description.txt @@ -1,12 +1,12 @@ The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on RSA signatures (RSASIG) using X.509 certificates -followed by extended authentication (XAUTH) of carol and dave -based on user names defined by the xauth_identity parameter (carol and dave, -respectively) and corresponding user passwords defined and stored in ipsec.secrets. -Next both carol and dave request a virtual IP via the IKE Mode Config -protocol by using the leftsourceip=%config parameter. +The authentication is based on RSA signatures using X.509 certificates followed by extended +authentication (XAUTH) of carol and dave based on user names defined +by the xauth_id parameter carol and dave, respectively and corresponding user passwords +defined and stored in the secrets section of swanctl.conf. +Next both carol and dave request a virtual IP via the IKEv1 Mode Config +protocol by using the vips = 0.0.0.0 parameter.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat old mode 100644 new mode 100755 index 13e4b26a92..389b3a4af9 --- a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat @@ -1,11 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 29492b5f9f..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" - -carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf similarity index 58% rename from testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf index ddfe896fb9..c10a874c54 100755 --- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/swanctl/swanctl.conf @@ -2,9 +2,10 @@ connections { home { local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 - local { + local-rsa { auth = pubkey certs = carolCert.pem id = carol@strongswan.org @@ -13,27 +14,27 @@ connections { auth = xauth xauth_id = carol } - remote { + remote-rsa { auth = pubkey - id = moon.strongswan.org + id = moon.strongswan.org } children { home { - remote_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm128-modp3072 + esp_proposals = aes128gcm128-x25519 } } - version = 1 - proposals = aes128-sha256-modp3072 + version = 1 + proposals = aes128-sha256-x25519 } } secrets { - xauth-carol { + xauth { id = carol - secret = "4iChxLT3" + secret = 4iChxLT3 } -} +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 8cf7db530b..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey.pem - -dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf similarity index 58% rename from testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf index 61ca64db37..5cbb4046d1 100755 --- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/swanctl/swanctl.conf @@ -2,9 +2,10 @@ connections { home { local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 - local { + local-rsa { auth = pubkey certs = daveCert.pem id = dave@strongswan.org @@ -13,27 +14,27 @@ connections { auth = xauth xauth_id = dave } - remote { + remote-rsa { auth = pubkey - id = moon.strongswan.org + id = moon.strongswan.org } children { home { - remote_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm128-modp3072 + esp_proposals = aes128gcm128-x25519 } } - version = 1 - proposals = aes128-sha256-modp3072 + version = 1 + proposals = aes128-sha256-x25519 } } secrets { - xauth-dave { + xauth { id = dave - secret = "ryftzG4A" + secret = ryftzG4A } -} +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d8c2bd5ac9 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,51 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol-vip + + remote-rsa { + auth = pubkey + id = carol@strongswan.org + } + remote-xauth { + auth = xauth + xauth_id = carol + } + } + + rw-dave { + include swanctl_base.conf + pools = dave-vip + + remote-rsa { + auth = pubkey + id = dave@strongswan.org + } + remote-xauth { + auth = xauth + xauth_id = dave + } + } +} + +secrets { + + xauth-carol { + id = carol + secret = 4iChxLT3 + } + xauth-dave { + id = dave + secret = ryftzG4A + } +} + +pools { + carol-vip { + addrs = 10.3.0.1 + } + dave-vip { + addrs = 10.3.0.2 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100644 index 0000000000..909383b3db --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,17 @@ + local_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat old mode 100644 new mode 100755 index 2eddae2d8f..3b4b22d236 --- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat @@ -1,12 +1,13 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol -moon::expect-connection rw-dave carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/xauth-id-rsa-config/test.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt old mode 100644 new mode 100755 index 88351ffda3..1cab584432 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt @@ -5,7 +5,7 @@ followed by an extended authentication (XAUTH) of carol and dav based on user names defined by the xauth_identity parameter (carol and dave, respectively) and corresponding user passwords defined and stored in ipsec.secrets.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat old mode 100644 new mode 100755 index b482ddba38..389b3a4af9 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat @@ -1,13 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..03790cac92 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local-xauth { + auth = xauth + id = carol@strongswan.org + xauth_id = carol + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = carol + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..60e8c4ccad --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local-xauth { + auth = xauth + id = dave@strongswan.org + xauth_id = dave + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = dave + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index bd9b0dbfbd..0000000000 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol : XAUTH "4iChxLT3" - -dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2d48f2e043 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,43 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol-vip + + remote-xauth { + auth = xauth + xauth_id = carol + } + } + + rw-dave { + include swanctl_base.conf + pools = dave-vip + + remote-xauth { + auth = xauth + xauth_id = dave + } + } +} + +secrets { + + xauth-carol { + id = carol + secret = 4iChxLT3 + } + xauth-dave { + id = dave + secret = ryftzG4A + } +} + +pools { + carol-vip { + addrs = 10.3.0.1 + } + dave-vip { + addrs = 10.3.0.2 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100644 index 0000000000..909383b3db --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,17 @@ + local_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..c519eec8e9 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat @@ -1,11 +1,15 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-psk/description.txt b/testing/tests/ikev1/xauth-psk/description.txt old mode 100644 new mode 100755 index 0ac2043c2d..b66f04466e --- a/testing/tests/ikev1/xauth-psk/description.txt +++ b/testing/tests/ikev1/xauth-psk/description.txt @@ -1,9 +1,8 @@ The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on Pre-Shared Keys (PSK) -followed by extended authentication (XAUTH) of carol and dave -based on user names and passwords. +The authentication is based on Pre-Shared Keys (PSK) followed by extended +authentication (XAUTH) of carol and dave based on user names and passwords.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat old mode 100644 new mode 100755 index 90cf05c315..4929f0a6b6 --- a/testing/tests/ikev1/xauth-psk/evaltest.dat +++ b/testing/tests/ikev1/xauth-psk/evaltest.dat @@ -1,11 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 73a4271bd5..d274a8195c --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b384e59aca --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local-psk { + auth = psk + id = carol@strongswan.org + } + local-xauth { + auth = xauth + } + remote-psk { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth { + id = carol@strongswan.org + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 73a4271bd5..d274a8195c --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..41311c7a7b --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local-psk { + auth = psk + id = dave@strongswan.org + } + local-xauth { + auth = xauth + } + remote-psk { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth { + id = dave@strongswan.org + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 73a4271bd5..d274a8195c --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..90f6abb8c1 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,42 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local-psk { + auth = psk + id = moon.strongswan.org + } + remote-psk { + auth = psk + } + remote-xauth { + auth = xauth + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-group { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + xauth-carol { + id = carol@strongswan.org + secret = 4iChxLT3 + } + xauth-dave { + id = dave@strongswan.org + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/xauth-psk/posttest.dat +++ b/testing/tests/ikev1/xauth-psk/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat old mode 100644 new mode 100755 index ee5bc7c721..12ad60eb8a --- a/testing/tests/ikev1/xauth-psk/pretest.dat +++ b/testing/tests/ikev1/xauth-psk/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/xauth-psk/test.conf +++ b/testing/tests/ikev1/xauth-psk/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt old mode 100644 new mode 100755 index a586a14cb8..04ae527b65 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt @@ -1,8 +1,13 @@ The roadwarrior carol sets up a connection to gateway moon. -The authentication is based on RSA signatures (RSASIG) using X.509 certificates -followed by extended authentication (XAUTH) of carol based on a user name -equal to the IKEv1 identity (carol@strongswan.org) and a user password -defined and stored by carol in ipsec.secrets. Gateway moon starts -an EAP-RADIUS connection with AAA server alice and uses carol's -forwarded XAUTH user credentials for an EAP-MD5 based client authentication with -alice. +The authentication is based on RSA signatures using X.509 certificates followed by extended +authentication (XAUTH) of carol based on a user name equal to the IKEv1 identity +carol@strongswan.org and a user password defined and stored by carol in the secrets +section of swanctl.conf. +

+Gateway moon delegates the EAP-MD5 based verification of carol's XAUTH user +credentials to the RADIUS server alice. +

+Upon the successful establishment of the IPsec tunnel, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol pings the client alice +behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat old mode 100644 new mode 100755 index 1d023f3105..10009c7c63 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat @@ -1,10 +1,6 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES -moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..38a3077634 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-xauth { + auth = xauth + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = carol@strongswan.org + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5701b7a826..0000000000 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - right=%any - rightauth=pubkey - rightauth2=xauth-eap - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 41fa522c88..a16a12800a --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -1,11 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-md5 xauth-eap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-md5 eap-radius xauth-eap kernel-netlink socket-default updown vici plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..173d96da70 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote-rsa { + auth = pubkey + } + remote-xauth { + auth = xauth-eap + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat old mode 100644 new mode 100755 index 4361417fd1..f4d215f094 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat @@ -1,5 +1,7 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat old mode 100644 new mode 100755 index 377aedf1b3..d9ea2ecaeb --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan alice::freeradius -moon::ipsec start -carol::ipsec start moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf old mode 100644 new mode 100755 index eb1e15dd25..0d9e9f3d43 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt old mode 100644 new mode 100755 index fb30d163e7..87ca2edb0c --- a/testing/tests/ikev1/xauth-rsa-radius/description.txt +++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt @@ -1,7 +1,13 @@ The roadwarrior carol sets up a connection to gateway moon. -The authentication is based on RSA signatures (RSASIG) using X.509 certificates -followed by extended authentication (XAUTH) of carol based on a user name -equal to the IKEv1 identity (carol@strongswan.org) and a user password -defined and stored by carol in ipsec.secrets. Gateway moon verifies -carol's XAUTH user credentials using a RADIUS connection with AAA server -alice. +The authentication is based on RSA signatures using X.509 certificates followed by extended +authentication (XAUTH) of carol based on a user name equal to the IKEv1 identity +carol@strongswan.org and a user password defined and stored by carol in the secrets +section of swanctl.conf. +

+Gateway moon delegates the verification of carol's XAUTH user credentials to +the RADIUS server alice. +

+Upon the successful establishment of the IPsec tunnel, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol pings the client alice +behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat old mode 100644 new mode 100755 index 7e11d2aa97..10009c7c63 --- a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat @@ -1,9 +1,6 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES -moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2fdd60f006..0000000000 --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=pubkey - leftauth2=xauth - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index d66f3fc246..0000000000 --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" - -carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..38a3077634 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-xauth { + auth = xauth + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = carol@strongswan.org + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f4ee067d53..0000000000 --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - right=%any - rightauth=pubkey - rightauth2=xauth-radius - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 2f8caca101..88d80fc61a --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-radius kernel-netlink socket-default updown vici plugins { eap-radius { diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d6dea899d4 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote-rsa { + auth = pubkey + } + remote-xauth { + auth = xauth-radius + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat old mode 100644 new mode 100755 index 4361417fd1..f4d215f094 --- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat @@ -1,5 +1,7 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat old mode 100644 new mode 100755 index 377aedf1b3..d9ea2ecaeb --- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan alice::freeradius -moon::ipsec start -carol::ipsec start moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf old mode 100644 new mode 100755 index b4088e8b42..0d9e9f3d43 --- a/testing/tests/ikev1/xauth-rsa-radius/test.conf +++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt old mode 100644 new mode 100755 index a9b76b6185..cccf97565a --- a/testing/tests/ikev1/xauth-rsa/description.txt +++ b/testing/tests/ikev1/xauth-rsa/description.txt @@ -1,11 +1,10 @@ The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on RSA signatures (RSASIG) using X.509 certificates -followed by extended authentication (XAUTH) of carol and dave -based on user names equal to the IKEv1 identity (carol@strongswan.org and -dave@strongswan.org, respectively) and corresponding user passwords defined and -stored in ipsec.secrets. +The authentication is based on RSA signatures using X.509 certificates followed by extended +authentication (XAUTH) of carol and dave based on user names equal to +the IKEv1 identities carol@strongswan.org and dave@strongswan.org, respectively and +corresponding user passwords defined and stored in the secrets section of swanctl.conf.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat old mode 100644 new mode 100755 index 90cf05c315..4929f0a6b6 --- a/testing/tests/ikev1/xauth-rsa/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat @@ -1,11 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2fdd60f006..0000000000 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=pubkey - leftauth2=xauth - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4a77c3b97f..0000000000 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" - -carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index b635720d1a..d274a8195c --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..38a3077634 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-xauth { + auth = xauth + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = carol@strongswan.org + secret = 4iChxLT3 + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..594df12446 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + local-xauth { + auth = xauth + } + remote-rsa { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth { + id = dave@strongswan.org + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index e3bada0fc9..d274a8195c --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f41d48fccf --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local-rsa { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote-rsa { + auth = pubkey + } + remote-xauth { + auth = xauth + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + xauth-carol { + id = carol@strongswan.org + secret = 4iChxLT3 + } + xauth-dave { + id = dave@strongswan.org + secret = ryftzG4A + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev1/xauth-rsa/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev1/xauth-rsa/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev1/xauth-rsa/test.conf +++ b/testing/tests/ikev1/xauth-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-3des-md5/description.txt b/testing/tests/ikev2-algs/alg-3des-md5/description.txt new file mode 100644 index 0000000000..5f6a8660fb --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +3des-md5-modp1024. The same cipher suite is used for IKE, too. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat b/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat new file mode 100644 index 0000000000..f9f9e4dad8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/evaltest.dat @@ -0,0 +1,8 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::enc cbc(des3_ede)::YES +carol::ip xfrm state::enc cbc(des3_ede)::YES +moon:: ip xfrm state::auth-trunc hmac(md5)::YES +carol::ip xfrm state::auth-trunc hmac(md5)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ea3f5d005d --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =3des-md5-modp1024 + } + } + version = 2 + mobike = no + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..16c11ba2e1 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = 3des-md5-modp1024 + } + } + version = 2 + mobike = no + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat b/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat b/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-3des-md5/test.conf b/testing/tests/ikev2-algs/alg-3des-md5/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-3des-md5/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/description.txt b/testing/tests/ikev2-algs/alg-aes-ccm/description.txt new file mode 100644 index 0000000000..cbed96d346 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the IKE cipher suite +aes128ccm12-aesxcbc-x25519 and the ESP cipher suite aes128ccm12-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat new file mode 100644 index 0000000000..dc4ca4c204 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CCM_12 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CCM_12 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..1d7302e3b1 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..65b8b2e263 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128ccm12-x25519 + } + } + version = 2 + mobike = no + proposals = aes128ccm12-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..1d7302e3b1 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6936ed7d1f --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128ccm12-x25519 + } + } + version = 2 + mobike = no + proposals = aes128ccm12-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat b/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-aes-ccm/test.conf b/testing/tests/ikev2-algs/alg-aes-ccm/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ccm/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/description.txt b/testing/tests/ikev2-algs/alg-aes-ctr/description.txt new file mode 100644 index 0000000000..64dbec7131 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the IKE cipher suite +aes128ctr-aesxcbc-x25519 and the ESP cipher suite aes128ct-aesxcbc-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat new file mode 100644 index 0000000000..964f1285ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CTR encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CTR encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..0cb2f17e55 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..01a09123ee --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128ctr-aesxcbc-x25519 + } + } + version = 2 + mobike = no + proposals = aes128ctr-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..0cb2f17e55 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..48b6ec5479 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128ctr-aesxcbc-x25519 + } + } + version = 2 + mobike = no + proposals = aes128ctr-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat b/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-aes-ctr/test.conf b/testing/tests/ikev2-algs/alg-aes-ctr/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-ctr/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/description.txt b/testing/tests/ikev2-algs/alg-aes-gcm/description.txt new file mode 100644 index 0000000000..732554a11b --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the IKE cipher suite +aes128gcm16-aesxcbc-x25519 and the ESP cipher suite aes128gcm16-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat new file mode 100644 index 0000000000..b7a83d3986 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_GCM_16 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_GCM_16 encr-keysize=128 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..891b8c8d23 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7945b6e526 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + } + } + version = 2 + mobike = no + proposals = aes128gcm16-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..891b8c8d23 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..567a834177 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm16-x25519 + } + } + version = 2 + mobike = no + proposals = aes128gcm16-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat b/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-aes-gcm/test.conf b/testing/tests/ikev2-algs/alg-aes-gcm/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-gcm/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt b/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt new file mode 100644 index 0000000000..273114f782 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128-aesxcbc-x25519. The same cipher suite is used for IKE, too. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat new file mode 100644 index 0000000000..05e24175ec --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc xcbc(aes)::YES +carol::ip xfrm state::auth-trunc xcbc(aes)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..4ad56410d9 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..111773c452 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-aesxcbc-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..4ad56410d9 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6819cedfc8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-aesxcbc-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-aesxcbc-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf b/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-aes-xcbc/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev2-algs/alg-blowfish/description.txt similarity index 58% rename from testing/tests/ikev1/alg-blowfish/description.txt rename to testing/tests/ikev2-algs/alg-blowfish/description.txt index 24b50b909b..47f559ba7a 100644 --- a/testing/tests/ikev1/alg-blowfish/description.txt +++ b/testing/tests/ikev2-algs/alg-blowfish/description.txt @@ -1,6 +1,5 @@ -The roadwarriors carol and dave set up a connection each -to gateway moon using Blowfish for both IKE and ESP -encryption. Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +The roadwarriors carol and dave set up a connection each +to gateway moon using Blowfish for both IKE and ESP encryption. +

In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat b/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat new file mode 100644 index 0000000000..b3d63b4e67 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/evaltest.dat @@ -0,0 +1,12 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 192::YES diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..541ca82a38 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = blowfish128-sha256-modp1536 + } + } + version = 2 + mobike = no + proposals = blowfish128-sha256-modp1536 + } +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..126bbdee7e --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = blowfish192-sha384-modp2048 + } + } + version = 2 + mobike = no + proposals = blowfish256-sha512-modp2048 + } +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6a3e8fd29e --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..75598e1a90 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = blowfish192-sha384-modp2048,blowfish128-sha256-modp1536 + } + } + version = 2 + mobike = no + proposals = blowfish256-sha512-modp2048,blowfish128-sha256-modp1536 + } +} diff --git a/testing/tests/ikev2-algs/alg-blowfish/posttest.dat b/testing/tests/ikev2-algs/alg-blowfish/posttest.dat new file mode 100644 index 0000000000..86f297255b --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/posttest.dat @@ -0,0 +1,3 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan +dave::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-blowfish/pretest.dat b/testing/tests/ikev2-algs/alg-blowfish/pretest.dat new file mode 100644 index 0000000000..6020ff4d23 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-blowfish/pretest.dat @@ -0,0 +1,8 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/swanctl/rw-cert-ppk/test.conf b/testing/tests/ikev2-algs/alg-blowfish/test.conf old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/test.conf rename to testing/tests/ikev2-algs/alg-blowfish/test.conf diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt b/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt new file mode 100644 index 0000000000..0c66fb55d8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the IKE cipher suite +chacha20poly1305-prfsha256-x25519 and the ESP cipher suite chacha20poly1305-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat new file mode 100644 index 0000000000..b7025ad902 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CHACHA20_POLY1305 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=CHACHA20_POLY1305.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CHACHA20_POLY1305 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=CHACHA20_POLY1305.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES +carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf similarity index 59% rename from testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf index c7b494ddca..ab9907d698 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +charon { + load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..508e084452 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = chacha20poly1305-x25519 + } + } + version = 2 + mobike = no + proposals = chacha20poly1305-prfsha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..ab9907d698 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..78e3184e05 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = chacha20poly1305-x25519 + } + } + version = 2 + mobike = no + proposals = chacha20poly1305-prfsha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf b/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-chacha20poly1305/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/alg-modp-subgroup/description.txt b/testing/tests/ikev2-algs/alg-modp-subgroup/description.txt similarity index 76% rename from testing/tests/ikev2/alg-modp-subgroup/description.txt rename to testing/tests/ikev2-algs/alg-modp-subgroup/description.txt index cb7d117201..ff497bebf6 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/description.txt +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/description.txt @@ -1,4 +1,4 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon using the MODP Diffie-Hellman Groups 22, 23, and 24 with Prime Order Subgroups.

@@ -7,8 +7,5 @@ with Prime Order Subgroups. Since moon does not support MODP_2048_224 the roadwarriors fall back to MODP_1024_160 and MODP_2048_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. - diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat new file mode 100644 index 0000000000..a15971cd6a --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf similarity index 70% rename from testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf index be00a11eb2..1a3653375f 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ce3cc9af75 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128-sha1 + } + } + version = 2 + proposals = aes128-sha1-modp2048s224,aes128-sha1-modp1024s160 + } +} diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..1a3653375f --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c88500c04d --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256 + } + } + version = 2 + proposals = aes128-sha256-modp2048s224,aes128-sha256-modp2048s256 + } +} diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..1a3653375f --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f50cd55dfc --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-sha1 + } + } + version = 2 + proposals = aes128-sha256-modp2048s256,aes128-sha1-modp1024s160 + } +} diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat new file mode 100644 index 0000000000..86f297255b --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/posttest.dat @@ -0,0 +1,3 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan +dave::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat new file mode 100644 index 0000000000..6020ff4d23 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-modp-subgroup/pretest.dat @@ -0,0 +1,8 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/swanctl/rw-cert-pss/test.conf b/testing/tests/ikev2-algs/alg-modp-subgroup/test.conf old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/test.conf rename to testing/tests/ikev2-algs/alg-modp-subgroup/test.conf diff --git a/testing/tests/ikev2-algs/alg-sha256/description.txt b/testing/tests/ikev2-algs/alg-sha256/description.txt new file mode 100644 index 0000000000..d50811d7d1 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128-sha256-x25519. The same cipher suite is used for IKE, too. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-sha256/evaltest.dat b/testing/tests/ikev2-algs/alg-sha256/evaltest.dat new file mode 100644 index 0000000000..ca5b455b9c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..80e41a4884 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0fc6d9ec6a --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha256/posttest.dat b/testing/tests/ikev2-algs/alg-sha256/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-sha256/pretest.dat b/testing/tests/ikev2-algs/alg-sha256/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-sha256/test.conf b/testing/tests/ikev2-algs/alg-sha256/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha256/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-sha384/description.txt b/testing/tests/ikev2-algs/alg-sha384/description.txt new file mode 100644 index 0000000000..6e844c66f2 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes192-sha384-x25519. The same cipher suite is used for IKE, too. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-sha384/evaltest.dat b/testing/tests/ikev2-algs/alg-sha384/evaltest.dat new file mode 100644 index 0000000000..92749549bc --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha384)::YES +carol::ip xfrm state::auth-trunc hmac(sha384)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6a4f402660 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes192-sha384-x25519 + } + } + version = 2 + mobike = no + proposals = aes192-sha384-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bf2f9e475f --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes192-sha384-x25519 + } + } + version = 2 + mobike = no + proposals = aes192-sha384-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha384/posttest.dat b/testing/tests/ikev2-algs/alg-sha384/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-sha384/pretest.dat b/testing/tests/ikev2-algs/alg-sha384/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-sha384/test.conf b/testing/tests/ikev2-algs/alg-sha384/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha384/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/alg-sha512/description.txt b/testing/tests/ikev2-algs/alg-sha512/description.txt new file mode 100644 index 0000000000..0668edc863 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes256-sha512-x25519. The same cipher suite is used for IKE, too. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/alg-sha512/evaltest.dat b/testing/tests/ikev2-algs/alg-sha512/evaltest.dat new file mode 100644 index 0000000000..beed20ee2a --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha512)::YES +carol::ip xfrm state::auth-trunc hmac(sha512)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..8a455f7895 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes256-sha512-x25519 + } + } + version = 2 + mobike = no + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..eb37732b67 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes256-sha512-x25519 + } + } + version = 2 + mobike = no + proposals = aes256-sha512-x25519 + } +} diff --git a/testing/tests/ikev2-algs/alg-sha512/posttest.dat b/testing/tests/ikev2-algs/alg-sha512/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/alg-sha512/pretest.dat b/testing/tests/ikev2-algs/alg-sha512/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/alg-sha512/test.conf b/testing/tests/ikev2-algs/alg-sha512/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/alg-sha512/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt new file mode 100644 index 0000000000..9cea5fa9a4 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +aes128gmac-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat new file mode 100644 index 0000000000..5757697469 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL_AES_GMAC encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..6865de6fbc --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f6d228333b --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gmac-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6865de6fbc --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f59b715e90 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gmac-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-aes-gmac/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt b/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt new file mode 100644 index 0000000000..fa3f21fb77 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +3des-md5_128-modp1024. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat new file mode 100644 index 0000000000..9f001e00fa --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(md5).* 128::YES +carol::ip xfrm state::auth-trunc hmac(md5).* 128::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..214a965af4 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =3des-md5_128-modp1024 + } + } + version = 2 + mobike = no + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..19c3892c38 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..06ce2dc65e --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = 3des-md5_128-modp1024 + } + } + version = 2 + mobike = no + proposals = 3des-md5-modp1024 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf b/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-md5-128/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/esp-alg-null/description.txt b/testing/tests/ikev2-algs/esp-alg-null/description.txt new file mode 100644 index 0000000000..064906bb39 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +null-sha256-x25519. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat new file mode 100644 index 0000000000..1ce217dacc --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::enc ecb(cipher_null)::YES +carol::ip xfrm state::enc ecb(cipher_null)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c6441874ce --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = null-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d42a9804c8 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a3bf3e0399 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = null-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-null/posttest.dat b/testing/tests/ikev2-algs/esp-alg-null/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/esp-alg-null/pretest.dat b/testing/tests/ikev2-algs/esp-alg-null/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/esp-alg-null/test.conf b/testing/tests/ikev2-algs/esp-alg-null/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-null/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt b/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt new file mode 100644 index 0000000000..99c9b0ec25 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +3des-sha1_160-modp2048. +

+A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat new file mode 100644 index 0000000000..cacfcac4b5 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_160.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_160.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha1).* 160::YES +carol::ip xfrm state::auth-trunc hmac(sha1).* 160::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 188::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 188::YES diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..08f53589df --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..84811ca821 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =3des-sha1_160-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..08f53589df --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d0728d1b22 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = 3des-sha1_160-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf b/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha1-160/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt similarity index 50% rename from testing/tests/ikev1/esp-alg-aes-ccm/description.txt rename to testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt index 40cc821283..46cba7a34f 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/description.txt @@ -1,4 +1,5 @@ Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CCM_12_128 by defining esp=aes128ccm12-curve25519 or alternatively -esp=aes128ccm96-curve25519 in ipsec.conf. +aes128-sha256_96-curve25519 which uses 96 bit instead of the standard 128 bit +truncation, allowing compatibility with Linux kernels older than 2.6.33. +

A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat new file mode 100644 index 0000000000..4fc808c447 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf similarity index 61% rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf index 7625e5066e..50ac31371b 100644 --- a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf @@ -1,5 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default + + send_vendor_id = yes } diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4cafb9d6c1 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-sha256_96-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf similarity index 61% rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf index 7625e5066e..50ac31371b 100644 --- a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf @@ -1,5 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default + + send_vendor_id = yes } diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f9e6bfef1b --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256_96-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat new file mode 100644 index 0000000000..ec5d4c48ad --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat b/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf b/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2-algs/esp-alg-sha256-96/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-multi-ca/.gitignore b/testing/tests/ikev2-multi-ca/.gitignore new file mode 100644 index 0000000000..f8443fea46 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/.gitignore @@ -0,0 +1,4 @@ +*.crl +*.der +*.p12 +*.pem diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2-multi-ca/certreq-init/description.txt similarity index 58% rename from testing/tests/ikev2/multi-level-ca-cr-init/description.txt rename to testing/tests/ikev2-multi-ca/certreq-init/description.txt index 602d026c2d..f4f80282f0 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt +++ b/testing/tests/ikev2-multi-ca/certreq-init/description.txt @@ -1,6 +1,6 @@ The VPN gateway moon grants access to the hosts alice and venus to anyone presenting a certificate belonging to a trust chain anchored -in the strongSwan Root CA. The hosts carol and dave have certificates from -the intermediate Research CA and Sales CA, respectively. Initiator moon does not possess -copies of the Research and Sales CA certificates and must therefore request them from -the responders carol and dave, respectively. +in the strongSwan Root CA. The hosts carol and dave have certif +the intermediate Research CA and Sales CA, respectively. Initiator moon does +not possess copies of the Research and Sales CA certificates and must therefore +request them from the responders carol and dave, respectively. diff --git a/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat b/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat new file mode 100644 index 0000000000..76e544c953 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf old mode 100755 new mode 100644 similarity index 55% rename from testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf index 61d2bd9e48..f3b571a1b4 --- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/strongswan.conf @@ -5,5 +5,5 @@ swanctl { } charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..63a0a6875e --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf old mode 100755 new mode 100644 similarity index 54% rename from testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf index ad4c18e437..f3b571a1b4 --- a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/strongswan.conf @@ -5,5 +5,5 @@ swanctl { } charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a4746978b7 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf old mode 100755 new mode 100644 similarity index 54% rename from testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf index ad4c18e437..f3b571a1b4 --- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/strongswan.conf @@ -5,5 +5,5 @@ swanctl { } charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..edaad23190 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat b/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat new file mode 100644 index 0000000000..e0fe01f819 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat b/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat new file mode 100644 index 0000000000..40b78eed2d --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-init/pretest.dat @@ -0,0 +1,9 @@ +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::systemctl start strongswan +carol::expect-connection moon +moon::expect-connection carol +moon::swanctl --initiate --child alice 2> /dev/null +dave::expect-connection moon +moon::expect-connection dave +moon::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/dhcp-dynamic/test.conf b/testing/tests/ikev2-multi-ca/certreq-init/test.conf similarity index 94% rename from testing/tests/swanctl/dhcp-dynamic/test.conf rename to testing/tests/ikev2-multi-ca/certreq-init/test.conf index 853093c96b..c295cf019c 100644 --- a/testing/tests/swanctl/dhcp-dynamic/test.conf +++ b/testing/tests/ikev2-multi-ca/certreq-init/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-v-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="" # Guest instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/description.txt b/testing/tests/ikev2-multi-ca/certreq-resp/description.txt new file mode 100644 index 0000000000..0922638002 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/description.txt @@ -0,0 +1,6 @@ +The VPN gateway moon grants access to the hosts alice and +venus to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts carol and dave have certificates +from the intermediate Research CA and Sales CA, respectively. Responder moon +does not possess copies of the Research and Sales CA certificates and must therefore +request them from the initiators carol and dave, respectively. diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat new file mode 100644 index 0000000000..76e544c953 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon:: swanctl --list-sas --raw 2> /dev/null::carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf old mode 100755 new mode 100644 similarity index 54% rename from testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf index ad4c18e437..f3b571a1b4 --- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/strongswan.conf @@ -5,5 +5,5 @@ swanctl { } charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..63a0a6875e --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a4746978b7 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + moon { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..edaad23190 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + carol { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + dave { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.200 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat new file mode 100644 index 0000000000..e0fe01f819 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat b/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat new file mode 100644 index 0000000000..b3a7ac336e --- /dev/null +++ b/testing/tests/ikev2-multi-ca/certreq-resp/pretest.dat @@ -0,0 +1,9 @@ +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::systemctl start strongswan +moon::expect-connection carol +carol::expect-connection moon +carol::swanctl --initiate --child alice 2> /dev/null +moon::expect-connection dave +dave::expect-connection moon +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2-multi-ca/certreq-resp/test.conf similarity index 91% rename from testing/tests/ikev2/multi-level-ca-cr-resp/test.conf rename to testing/tests/ikev2-multi-ca/certreq-resp/test.conf index 9bb88d79f0..c295cf019c 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf +++ b/testing/tests/ikev2-multi-ca/certreq-resp/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/multi-level-ca-l3/description.txt b/testing/tests/ikev2-multi-ca/crls-l3/description.txt similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/description.txt rename to testing/tests/ikev2-multi-ca/crls-l3/description.txt diff --git a/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat b/testing/tests/ikev2-multi-ca/crls-l3/evaltest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/evaltest.dat rename to testing/tests/ikev2-multi-ca/crls-l3/evaltest.dat diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/multi-level-ca-l3/posttest.dat b/testing/tests/ikev2-multi-ca/crls-l3/posttest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca-l3/posttest.dat rename to testing/tests/ikev2-multi-ca/crls-l3/posttest.dat diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/ikev2-multi-ca/crls-l3/pretest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca/pretest.dat rename to testing/tests/ikev2-multi-ca/crls-l3/pretest.dat diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2-multi-ca/crls-l3/test.conf similarity index 91% rename from testing/tests/ikev1/multi-level-ca-cr-resp/test.conf rename to testing/tests/ikev2-multi-ca/crls-l3/test.conf index 9bb88d79f0..c295cf019c 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf +++ b/testing/tests/ikev2-multi-ca/crls-l3/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/multi-level-ca/description.txt b/testing/tests/ikev2-multi-ca/crls/description.txt similarity index 100% rename from testing/tests/ikev2/multi-level-ca/description.txt rename to testing/tests/ikev2-multi-ca/crls/description.txt diff --git a/testing/tests/swanctl/multi-level-ca/evaltest.dat b/testing/tests/ikev2-multi-ca/crls/evaltest.dat similarity index 100% rename from testing/tests/swanctl/multi-level-ca/evaltest.dat rename to testing/tests/ikev2-multi-ca/crls/evaltest.dat diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/crls/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/ocsp-multi-level/posttest.dat b/testing/tests/ikev2-multi-ca/crls/posttest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/posttest.dat rename to testing/tests/ikev2-multi-ca/crls/posttest.dat diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat b/testing/tests/ikev2-multi-ca/crls/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat rename to testing/tests/ikev2-multi-ca/crls/pretest.dat diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2-multi-ca/crls/test.conf similarity index 91% rename from testing/tests/ikev2/multi-level-ca-cr-init/test.conf rename to testing/tests/ikev2-multi-ca/crls/test.conf index 9bb88d79f0..c295cf019c 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf +++ b/testing/tests/ikev2-multi-ca/crls/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/multi-level-ca-ldap/description.txt b/testing/tests/ikev2-multi-ca/ldap/description.txt similarity index 91% rename from testing/tests/ikev2/multi-level-ca-ldap/description.txt rename to testing/tests/ikev2-multi-ca/ldap/description.txt index 18fb888406..49a02ef78c 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/description.txt +++ b/testing/tests/ikev2-multi-ca/ldap/description.txt @@ -6,6 +6,6 @@ Sales CA. The roadwarriors carol and dave have certificates from the Research CA and Sales CA, respectively. Therefore carol can access alice and dave can reach venus.

-By setting strictcrlpolicy=yes the CRLs from the strongSwan, Research and +By setting revocation = strict the CRLs from the strongSwan, Research and Sales CAs must be fetched from the LDAP server winnetou first, before the connection setups can be successfully completed. diff --git a/testing/tests/ikev2-multi-ca/ldap/evaltest.dat b/testing/tests/ikev2-multi-ca/ldap/evaltest.dat new file mode 100644 index 0000000000..af4b17708b --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/evaltest.dat @@ -0,0 +1,19 @@ +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon:: cat /var/log/daemon.log::selected peer config.*research.*unacceptable::YES +moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..6ae09a00e7 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b0621abb85 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList' + } +} + +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..6ae09a00e7 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e0a7ee37db --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList' + } +} +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules rename to testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6ae09a00e7 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce ldap kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e985cf4e38 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,63 @@ +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList' + } + research { + cacert=researchCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList' + } + sales { + cacert=salesCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList' + } +} + +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = researchCert.pem + revocation = strict + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + sales { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = salesCert.pem + revocation = strict + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/ldap/posttest.dat b/testing/tests/ikev2-multi-ca/ldap/posttest.dat new file mode 100644 index 0000000000..8abf31c0e6 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/posttest.dat @@ -0,0 +1,7 @@ +carol::swanctl --terminate --ike home 2> /dev/null +dave::swanctl --terminate --ike home 2> /dev/null +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +winnetou::systemctl stop slapd +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/ldap/pretest.dat b/testing/tests/ikev2-multi-ca/ldap/pretest.dat new file mode 100644 index 0000000000..9b0a06d34e --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/pretest.dat @@ -0,0 +1,11 @@ +winnetou::/etc/init.d/slapd start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +carol::expect-connection alice +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection alice +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2-multi-ca/ldap/test.conf b/testing/tests/ikev2-multi-ca/ldap/test.conf new file mode 100644 index 0000000000..c295cf019c --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ldap/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/multi-level-ca-loop/description.txt b/testing/tests/ikev2-multi-ca/loop/description.txt similarity index 100% rename from testing/tests/ikev2/multi-level-ca-loop/description.txt rename to testing/tests/ikev2-multi-ca/loop/description.txt diff --git a/testing/tests/ikev2-multi-ca/loop/evaltest.dat b/testing/tests/ikev2-multi-ca/loop/evaltest.dat new file mode 100644 index 0000000000..d3daa146f6 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/evaltest.dat @@ -0,0 +1,4 @@ +moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..65ac5b94a9 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2598416324 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/loop/posttest.dat b/testing/tests/ikev2-multi-ca/loop/posttest.dat new file mode 100644 index 0000000000..adbfd8f247 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/loop/pretest.dat b/testing/tests/ikev2-multi-ca/loop/pretest.dat new file mode 100644 index 0000000000..6a2c17c604 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/loop/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2-multi-ca/loop/test.conf similarity index 90% rename from testing/tests/ikev2/multi-level-ca-loop/test.conf rename to testing/tests/ikev2-multi-ca/loop/test.conf index a24ec4f1d2..940158eca0 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/test.conf +++ b/testing/tests/ikev2-multi-ca/loop/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-multi-level/description.txt b/testing/tests/ikev2-multi-ca/ocsp-signers/description.txt similarity index 91% rename from testing/tests/ikev2/ocsp-multi-level/description.txt rename to testing/tests/ikev2-multi-ca/ocsp-signers/description.txt index cd0ecf1623..0e223bf666 100644 --- a/testing/tests/ikev2/ocsp-multi-level/description.txt +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/description.txt @@ -6,5 +6,5 @@ Sales CA. The roadwarriors carol and dave have certificates from the Research CA and Sales CA, respectively. Therefore carol can access alice and dave can reach venus.

-By setting strictcrlpolicy=yes, the certificate status from the strongSwan, Research and +By setting revocation = strict, the certificate status from the strongSwan, Research and Sales OCSP servers must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/evaltest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/evaltest.dat rename to testing/tests/ikev2-multi-ca/ocsp-signers/evaltest.dat diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/ocsp-signers/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat new file mode 100644 index 0000000000..506b6a2b6d --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home 2> /dev/null +dave::swanctl --terminate --ike home 2> /dev/null +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/ikev2-multi-ca/ocsp-signers/pretest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-multi-level/pretest.dat rename to testing/tests/ikev2-multi-ca/ocsp-signers/pretest.dat diff --git a/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf b/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf new file mode 100644 index 0000000000..c295cf019c --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-signers/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt similarity index 84% rename from testing/tests/ikev2/ocsp-strict-ifuri/description.txt rename to testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt index 2791e761f5..c0576458bb 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/description.txt @@ -1,18 +1,16 @@ -This scenario tests the strictcrlpolicy=ifuri option which enforces a +This scenario tests the revocation = ifuri option which enforces a strict CRL policy for a given CA if at least one OCSP or CRL URI is known for this CA at the time of the certificate trust path verification. On the gateway moon two different Intermediate CAs control the access to the hosts alice and venus. Access to alice is granted to users presenting a certificate issued by the Research CA whereas venus -can only be reached with a certificate issued by the Sales CA. -

+can only be reached with a certificate issued by the Sales CA. +

The roadwarrior carol has a certificate from the Research CA which does not contain any URIs. Therefore a strict CRL policy is not enforced and the connection setup succeeds, although the certificate status is unknown. -

-

+

The roadwarrior dave has a certificate from the Sales CA which contains a single OCSP URI but which is not resolvable. Thus because of the known URI a strict CRL policy is enforced and the unknown certificate status causes the connection setup to fail. -

diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat new file mode 100644 index 0000000000..65d856ed87 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/evaltest.dat @@ -0,0 +1,8 @@ +moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES +moon:: cat /var/log/daemon.log::certificate status is not available::YES +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f7dc3a948f --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..de7341d7f8 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..8905ebe233 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = researchCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + sales { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = salesCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat new file mode 100644 index 0000000000..a957f652c8 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/posttest.dat @@ -0,0 +1,4 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat new file mode 100644 index 0000000000..eb0921eb50 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/pretest.dat @@ -0,0 +1,9 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null +moon::expect-connection sales +dave::expect-connection home +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf new file mode 100644 index 0000000000..c295cf019c --- /dev/null +++ b/testing/tests/ikev2-multi-ca/ocsp-strict-ifuri/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/description.txt b/testing/tests/ikev2-multi-ca/pathlen/description.txt similarity index 100% rename from testing/tests/ikev2/multi-level-ca-pathlen/description.txt rename to testing/tests/ikev2-multi-ca/pathlen/description.txt diff --git a/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat b/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat new file mode 100644 index 0000000000..d05fe30680 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/evaltest.dat @@ -0,0 +1,4 @@ +moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon:: swanctl --list-sas --raw 2> /dev/null::duck.*state=ESTABLISHED.*child-sas.*duck.*state=INSTALLED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*duck.*state=INSTALLED::NO diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..66cde93fda --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + duck { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..76f98f6c74 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + duck { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = duckCert.pem + } + children { + duck { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/pathlen/posttest.dat b/testing/tests/ikev2-multi-ca/pathlen/posttest.dat new file mode 100644 index 0000000000..adbfd8f247 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/pathlen/pretest.dat b/testing/tests/ikev2-multi-ca/pathlen/pretest.dat new file mode 100644 index 0000000000..f6002f833a --- /dev/null +++ b/testing/tests/ikev2-multi-ca/pathlen/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection duck +carol::expect-connection home +carol::swanctl --initiate --child duck 2> /dev/null diff --git a/testing/tests/swanctl/ip-two-pools/test.conf b/testing/tests/ikev2-multi-ca/pathlen/test.conf old mode 100755 new mode 100644 similarity index 88% rename from testing/tests/swanctl/ip-two-pools/test.conf rename to testing/tests/ikev2-multi-ca/pathlen/test.conf index 5f67b7ed5b..940158eca0 --- a/testing/tests/swanctl/ip-two-pools/test.conf +++ b/testing/tests/ikev2-multi-ca/pathlen/test.conf @@ -13,12 +13,12 @@ DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="carol alice" +TCPDUMPHOSTS="" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol alice" +IPSECHOSTS="moon carol" # charon controlled by swanctl # diff --git a/testing/tests/ikev2/multi-level-ca-revoked/description.txt b/testing/tests/ikev2-multi-ca/revoked/description.txt similarity index 98% rename from testing/tests/ikev2/multi-level-ca-revoked/description.txt rename to testing/tests/ikev2-multi-ca/revoked/description.txt index c91ac285b0..2fb5a4e3e4 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/description.txt +++ b/testing/tests/ikev2-multi-ca/revoked/description.txt @@ -1,4 +1,4 @@ The roadwarrior carol possesses a certificate issued by the Research CA. The certificate of the Research CA has been revoked by the Root CA by entering the serial number in the CRL. Therefore upon verification of the trust path -the gateway moon will reject the roadwarrior's certificate +the gateway moon will reject the roadwarrior's certificate diff --git a/testing/tests/ikev2-multi-ca/revoked/evaltest.dat b/testing/tests/ikev2-multi-ca/revoked/evaltest.dat new file mode 100644 index 0000000000..453de63fdc --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/evaltest.dat @@ -0,0 +1,4 @@ +moon:: cat /var/log/daemon.log::certificate was revoked::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..65ac5b94a9 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2598416324 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/revoked/posttest.dat b/testing/tests/ikev2-multi-ca/revoked/posttest.dat new file mode 100644 index 0000000000..adbfd8f247 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/revoked/pretest.dat b/testing/tests/ikev2-multi-ca/revoked/pretest.dat new file mode 100644 index 0000000000..6a2c17c604 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/revoked/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/ocsp-signer-cert/test.conf b/testing/tests/ikev2-multi-ca/revoked/test.conf similarity index 86% rename from testing/tests/swanctl/ocsp-signer-cert/test.conf rename to testing/tests/ikev2-multi-ca/revoked/test.conf index c5b3ecc435..940158eca0 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/test.conf +++ b/testing/tests/ikev2-multi-ca/revoked/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt b/testing/tests/ikev2-multi-ca/rw-hash-and-url/description.txt similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/description.txt diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/evaltest.dat diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/posttest.dat diff --git a/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat b/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat new file mode 100644 index 0000000000..456938cc47 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/rw-hash-and-url/pretest.dat @@ -0,0 +1,10 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +carol::expect-connection alice +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection alice +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/test.conf b/testing/tests/ikev2-multi-ca/rw-hash-and-url/test.conf old mode 100755 new mode 100644 similarity index 100% rename from testing/tests/swanctl/rw-multi-ciphers-ikev1/test.conf rename to testing/tests/ikev2-multi-ca/rw-hash-and-url/test.conf diff --git a/testing/tests/ikev2/multi-level-ca-skipped/description.txt b/testing/tests/ikev2-multi-ca/skipped/description.txt similarity index 100% rename from testing/tests/ikev2/multi-level-ca-skipped/description.txt rename to testing/tests/ikev2-multi-ca/skipped/description.txt diff --git a/testing/tests/ikev2-multi-ca/skipped/evaltest.dat b/testing/tests/ikev2-multi-ca/skipped/evaltest.dat new file mode 100644 index 0000000000..e17c97d82f --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/evaltest.dat @@ -0,0 +1,4 @@ +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7425e40748 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..800c26e9ab --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = researchCert.pem + revocation = strict + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/ikev2-multi-ca/skipped/posttest.dat b/testing/tests/ikev2-multi-ca/skipped/posttest.dat new file mode 100644 index 0000000000..adbfd8f247 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2-multi-ca/skipped/pretest.dat b/testing/tests/ikev2-multi-ca/skipped/pretest.dat new file mode 100644 index 0000000000..6a2c17c604 --- /dev/null +++ b/testing/tests/ikev2-multi-ca/skipped/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/crl-to-cache/test.conf b/testing/tests/ikev2-multi-ca/skipped/test.conf similarity index 86% rename from testing/tests/swanctl/crl-to-cache/test.conf rename to testing/tests/ikev2-multi-ca/skipped/test.conf index fdda0a04cb..940158eca0 100644 --- a/testing/tests/swanctl/crl-to-cache/test.conf +++ b/testing/tests/ikev2-multi-ca/skipped/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # @@ -21,4 +21,5 @@ TCPDUMPHOSTS="" IPSECHOSTS="moon carol" # charon controlled by swanctl +# SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/.gitignore b/testing/tests/ikev2-stroke-bye/.gitignore new file mode 100644 index 0000000000..f8443fea46 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/.gitignore @@ -0,0 +1,4 @@ +*.crl +*.der +*.p12 +*.pem diff --git a/testing/tests/ikev2/any-interface/description.txt b/testing/tests/ikev2-stroke-bye/any-interface/description.txt similarity index 100% rename from testing/tests/ikev2/any-interface/description.txt rename to testing/tests/ikev2-stroke-bye/any-interface/description.txt diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat similarity index 100% rename from testing/tests/ikev2/any-interface/evaltest.dat rename to testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/any-interface/posttest.dat b/testing/tests/ikev2-stroke-bye/any-interface/posttest.dat similarity index 100% rename from testing/tests/ikev2/any-interface/posttest.dat rename to testing/tests/ikev2-stroke-bye/any-interface/posttest.dat diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2-stroke-bye/any-interface/pretest.dat similarity index 100% rename from testing/tests/ikev2/any-interface/pretest.dat rename to testing/tests/ikev2-stroke-bye/any-interface/pretest.dat diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2-stroke-bye/any-interface/test.conf similarity index 100% rename from testing/tests/ikev2/any-interface/test.conf rename to testing/tests/ikev2-stroke-bye/any-interface/test.conf diff --git a/testing/tests/ikev2/compress-nat/description.txt b/testing/tests/ikev2-stroke-bye/compress-nat/description.txt similarity index 100% rename from testing/tests/ikev2/compress-nat/description.txt rename to testing/tests/ikev2-stroke-bye/compress-nat/description.txt diff --git a/testing/tests/ikev2/compress-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat similarity index 100% rename from testing/tests/ikev2/compress-nat/evaltest.dat rename to testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat similarity index 100% rename from testing/tests/ikev2/compress-nat/posttest.dat rename to testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat diff --git a/testing/tests/ikev2/compress-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat similarity index 100% rename from testing/tests/ikev2/compress-nat/pretest.dat rename to testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat diff --git a/testing/tests/ikev2/compress-nat/test.conf b/testing/tests/ikev2-stroke-bye/compress-nat/test.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/test.conf rename to testing/tests/ikev2-stroke-bye/compress-nat/test.conf diff --git a/testing/tests/ikev2/crl-from-cache/description.txt b/testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt similarity index 100% rename from testing/tests/ikev2/crl-from-cache/description.txt rename to testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat similarity index 100% rename from testing/tests/ikev2/crl-from-cache/evaltest.dat rename to testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/crl-from-cache/posttest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat similarity index 100% rename from testing/tests/ikev2/crl-from-cache/posttest.dat rename to testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat similarity index 100% rename from testing/tests/ikev2/crl-from-cache/pretest.dat rename to testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf similarity index 100% rename from testing/tests/ikev2/crl-from-cache/test.conf rename to testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/description.txt b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/description.txt rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/evaltest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/posttest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/pretest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/test.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/description.txt b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/description.txt rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/evaltest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf similarity index 92% rename from testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf index af5fa19ef1..0fbefa3fc2 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/posttest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/pretest.dat rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/test.conf rename to testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf diff --git a/testing/tests/ikev2/dpd-hold/description.txt b/testing/tests/ikev2-stroke-bye/dpd-hold/description.txt similarity index 100% rename from testing/tests/ikev2/dpd-hold/description.txt rename to testing/tests/ikev2-stroke-bye/dpd-hold/description.txt diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat similarity index 100% rename from testing/tests/ikev2/dpd-hold/evaltest.dat rename to testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat rename to testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat rename to testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/test.conf similarity index 100% rename from testing/tests/ikev2/dpd-hold/test.conf rename to testing/tests/ikev2-stroke-bye/dpd-hold/test.conf diff --git a/testing/tests/ikev2/farp/description.txt b/testing/tests/ikev2-stroke-bye/farp/description.txt similarity index 100% rename from testing/tests/ikev2/farp/description.txt rename to testing/tests/ikev2-stroke-bye/farp/description.txt diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2-stroke-bye/farp/evaltest.dat similarity index 100% rename from testing/tests/ikev2/farp/evaltest.dat rename to testing/tests/ikev2-stroke-bye/farp/evaltest.dat diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf similarity index 92% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf index af5fa19ef1..0fbefa3fc2 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2-stroke-bye/farp/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/posttest.dat rename to testing/tests/ikev2-stroke-bye/farp/posttest.dat diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2-stroke-bye/farp/pretest.dat similarity index 100% rename from testing/tests/ikev2/farp/pretest.dat rename to testing/tests/ikev2-stroke-bye/farp/pretest.dat diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2-stroke-bye/farp/test.conf similarity index 100% rename from testing/tests/ikev2/dynamic-two-peers/test.conf rename to testing/tests/ikev2-stroke-bye/farp/test.conf diff --git a/testing/tests/ikev2/force-udp-encaps/description.txt b/testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/description.txt rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/evaltest.dat rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/posttest.dat rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/pretest.dat rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/test.conf rename to testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2-stroke-bye/forecast/description.txt similarity index 100% rename from testing/tests/ikev2/forecast/description.txt rename to testing/tests/ikev2-stroke-bye/forecast/description.txt diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2-stroke-bye/forecast/evaltest.dat similarity index 100% rename from testing/tests/ikev2/forecast/evaltest.dat rename to testing/tests/ikev2-stroke-bye/forecast/evaltest.dat diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf similarity index 92% rename from testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf index af5fa19ef1..0fbefa3fc2 100644 --- a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2-stroke-bye/forecast/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/posttest.dat rename to testing/tests/ikev2-stroke-bye/forecast/posttest.dat diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2-stroke-bye/forecast/pretest.dat similarity index 100% rename from testing/tests/ikev2/forecast/pretest.dat rename to testing/tests/ikev2-stroke-bye/forecast/pretest.dat diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2-stroke-bye/forecast/test.conf similarity index 100% rename from testing/tests/ikev2/forecast/test.conf rename to testing/tests/ikev2-stroke-bye/forecast/test.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/description.txt rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/evaltest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/posttest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/pretest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-connmark/test.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/description.txt rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/evaltest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/posttest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/pretest.dat rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat diff --git a/testing/tests/ikev2/host2host-transport-nat/test.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport-nat/test.conf rename to testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf diff --git a/testing/tests/ikev2/inactivity-timeout/description.txt b/testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/description.txt rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/evaltest.dat rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/posttest.dat rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/pretest.dat rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf similarity index 100% rename from testing/tests/ikev2/alg-aes-ccm/test.conf rename to testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/description.txt rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/evaltest.dat rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/lookip/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat similarity index 100% rename from testing/tests/ikev2/lookip/posttest.dat rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/pretest.dat rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf similarity index 100% rename from testing/tests/ikev2/farp/test.conf rename to testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf diff --git a/testing/tests/ikev2/ip-split-pools-db/description.txt b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/description.txt rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/evaltest.dat rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..c22405914f --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/posttest.dat rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/pretest.dat rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf old mode 100755 new mode 100644 similarity index 88% rename from testing/tests/swanctl/ip-pool-db/test.conf rename to testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf index 5554b46696..31820ea1a6 --- a/testing/tests/swanctl/ip-pool-db/test.conf +++ b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon" +TCPDUMPHOSTS="moon alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes @@ -23,7 +23,3 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools-mixed/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/description.txt rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/posttest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/pretest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/test.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/description.txt rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/test.conf rename to testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf diff --git a/testing/tests/ikev2/lookip/description.txt b/testing/tests/ikev2-stroke-bye/lookip/description.txt similarity index 100% rename from testing/tests/ikev2/lookip/description.txt rename to testing/tests/ikev2-stroke-bye/lookip/description.txt diff --git a/testing/tests/ikev2/lookip/evaltest.dat b/testing/tests/ikev2-stroke-bye/lookip/evaltest.dat similarity index 100% rename from testing/tests/ikev2/lookip/evaltest.dat rename to testing/tests/ikev2-stroke-bye/lookip/evaltest.dat diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2-stroke-bye/lookip/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/posttest.dat rename to testing/tests/ikev2-stroke-bye/lookip/posttest.dat diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2-stroke-bye/lookip/pretest.dat similarity index 100% rename from testing/tests/ikev2/lookip/pretest.dat rename to testing/tests/ikev2-stroke-bye/lookip/pretest.dat diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2-stroke-bye/lookip/test.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/test.conf rename to testing/tests/ikev2-stroke-bye/lookip/test.conf diff --git a/testing/tests/ikev2/mobike-nat/description.txt b/testing/tests/ikev2-stroke-bye/mobike-nat/description.txt similarity index 100% rename from testing/tests/ikev2/mobike-nat/description.txt rename to testing/tests/ikev2-stroke-bye/mobike-nat/description.txt diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/evaltest.dat similarity index 100% rename from testing/tests/ikev2/mobike-nat/evaltest.dat rename to testing/tests/ikev2-stroke-bye/mobike-nat/evaltest.dat diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-nat/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/posttest.dat similarity index 100% rename from testing/tests/ikev2/mobike-nat/posttest.dat rename to testing/tests/ikev2-stroke-bye/mobike-nat/posttest.dat diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-nat/pretest.dat similarity index 100% rename from testing/tests/ikev2/mobike-nat/pretest.dat rename to testing/tests/ikev2-stroke-bye/mobike-nat/pretest.dat diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2-stroke-bye/mobike-nat/test.conf similarity index 100% rename from testing/tests/ikev2/mobike-nat/test.conf rename to testing/tests/ikev2-stroke-bye/mobike-nat/test.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/description.txt b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/description.txt similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/description.txt rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/description.txt diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/evaltest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/evaltest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/posttest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/posttest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/pretest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/pretest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/test.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/test.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip-nat/test.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip-nat/test.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip/description.txt b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/description.txt similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/description.txt rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/description.txt diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/evaltest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/evaltest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/evaltest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/posttest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/posttest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/posttest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/pretest.dat similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/pretest.dat rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/pretest.dat diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2-stroke-bye/mobike-virtual-ip/test.conf similarity index 100% rename from testing/tests/ikev2/mobike-virtual-ip/test.conf rename to testing/tests/ikev2-stroke-bye/mobike-virtual-ip/test.conf diff --git a/testing/tests/ikev2/mobike/description.txt b/testing/tests/ikev2-stroke-bye/mobike/description.txt similarity index 100% rename from testing/tests/ikev2/mobike/description.txt rename to testing/tests/ikev2-stroke-bye/mobike/description.txt diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2-stroke-bye/mobike/evaltest.dat similarity index 100% rename from testing/tests/ikev2/mobike/evaltest.dat rename to testing/tests/ikev2-stroke-bye/mobike/evaltest.dat diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/mobike/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2-stroke-bye/mobike/posttest.dat similarity index 100% rename from testing/tests/ikev2/mobike/posttest.dat rename to testing/tests/ikev2-stroke-bye/mobike/posttest.dat diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2-stroke-bye/mobike/pretest.dat similarity index 100% rename from testing/tests/ikev2/mobike/pretest.dat rename to testing/tests/ikev2-stroke-bye/mobike/pretest.dat diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2-stroke-bye/mobike/test.conf similarity index 100% rename from testing/tests/ikev2/mobike/test.conf rename to testing/tests/ikev2-stroke-bye/mobike/test.conf diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/description.txt rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/evaltest.dat rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/posttest.dat rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/pretest.dat rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/test.conf rename to testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev1/net2net-ntru-cert/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat similarity index 100% rename from testing/tests/ikev1/net2net-ntru-cert/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat similarity index 100% rename from testing/tests/ikev1/net2net-ntru-cert/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat diff --git a/testing/tests/ikev2/net2net-dnscert/test.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf diff --git a/testing/tests/ikev2/net2net-dnscert/description.txt b/testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt diff --git a/testing/tests/ikev2/net2net-dnscert/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-dnscert/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-dnscert/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat diff --git a/testing/tests/ikev2/net2net-fragmentation/test.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-fragmentation/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf diff --git a/testing/tests/swanctl/net2net-multicast/description.txt b/testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt similarity index 100% rename from testing/tests/swanctl/net2net-multicast/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat new file mode 100644 index 0000000000..7649abc5b8 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat @@ -0,0 +1,16 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO +bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf similarity index 73% rename from testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf index 1c5da7b88b..904a5fa6ee 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast multiple_authentication = no - plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf similarity index 59% rename from testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf index 812c12bf94..904a5fa6ee 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast multiple_authentication = no - plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat new file mode 100644 index 0000000000..dff181797e --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat new file mode 100644 index 0000000000..e777dba060 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat @@ -0,0 +1,7 @@ +moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +sun::ipsec start +moon::ipsec start +sun::expect-connection net-net +moon::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/swanctl/net2net-multicast/test.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf similarity index 91% rename from testing/tests/swanctl/net2net-multicast/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf index 579978772d..48597379a0 100644 --- a/testing/tests/swanctl/net2net-multicast/test.conf +++ b/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="alice sun bob" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat diff --git a/testing/tests/ikev1/net2net-ntru-cert/test.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf similarity index 100% rename from testing/tests/ikev1/net2net-ntru-cert/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf diff --git a/testing/tests/ikev2/net2net-pgp-v3/description.txt b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v3/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf diff --git a/testing/tests/ikev2/net2net-pgp-v4/description.txt b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-rsa/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-pgp-v4/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf diff --git a/testing/tests/ikev2/net2net-psk-dscp/description.txt b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-dscp/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf diff --git a/testing/tests/ikev2/net2net-rekey/description.txt b/testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-rekey/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt diff --git a/testing/tests/ikev2/net2net-rekey/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-rekey/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-fragmentation/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-fragmentation/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat diff --git a/testing/tests/ikev2/net2net-fragmentation/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-fragmentation/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat diff --git a/testing/tests/ikev2/net2net-rekey/test.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-rekey/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/description.txt rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/evaltest.dat rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/posttest.dat rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/pretest.dat rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-same-nets/test.conf rename to testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf diff --git a/testing/tests/ikev2/protoport-route/description.txt b/testing/tests/ikev2-stroke-bye/protoport-route/description.txt similarity index 100% rename from testing/tests/ikev2/protoport-route/description.txt rename to testing/tests/ikev2-stroke-bye/protoport-route/description.txt diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat similarity index 100% rename from testing/tests/ikev2/protoport-route/evaltest.dat rename to testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-sha256/posttest.dat rename to testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat similarity index 100% rename from testing/tests/ikev2/protoport-route/pretest.dat rename to testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev2-stroke-bye/protoport-route/test.conf similarity index 100% rename from testing/tests/ikev1/alg-sha256/test.conf rename to testing/tests/ikev2-stroke-bye/protoport-route/test.conf diff --git a/testing/tests/ikev2/reauth-early/description.txt b/testing/tests/ikev2-stroke-bye/reauth-early/description.txt similarity index 100% rename from testing/tests/ikev2/reauth-early/description.txt rename to testing/tests/ikev2-stroke-bye/reauth-early/description.txt diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat similarity index 100% rename from testing/tests/ikev2/reauth-early/evaltest.dat rename to testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-sha384/posttest.dat rename to testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat similarity index 100% rename from testing/tests/ikev2/reauth-early/pretest.dat rename to testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev2-stroke-bye/reauth-early/test.conf similarity index 100% rename from testing/tests/ikev1/alg-sha384/test.conf rename to testing/tests/ikev2-stroke-bye/reauth-early/test.conf diff --git a/testing/tests/ikev2/reauth-late/description.txt b/testing/tests/ikev2-stroke-bye/reauth-late/description.txt similarity index 100% rename from testing/tests/ikev2/reauth-late/description.txt rename to testing/tests/ikev2-stroke-bye/reauth-late/description.txt diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat similarity index 100% rename from testing/tests/ikev2/reauth-late/evaltest.dat rename to testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat similarity index 100% rename from testing/tests/ikev1/alg-sha512/posttest.dat rename to testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat similarity index 100% rename from testing/tests/ikev2/reauth-late/pretest.dat rename to testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev2-stroke-bye/reauth-late/test.conf similarity index 100% rename from testing/tests/ikev1/alg-sha512/test.conf rename to testing/tests/ikev2-stroke-bye/reauth-late/test.conf diff --git a/testing/tests/ikev2/reauth-mbb-revoked/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/description.txt rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt diff --git a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/posttest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat similarity index 100% rename from testing/tests/ikev2/dpd-hold/pretest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-ccm/test.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat similarity index 100% rename from testing/tests/ikev1/alg-sha256/pretest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-ctr/test.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt similarity index 100% rename from testing/tests/ikev2/reauth-mbb/description.txt rename to testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat similarity index 100% rename from testing/tests/ikev2/reauth-mbb/evaltest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat similarity index 100% rename from testing/tests/ikev1/alg-sha384/pretest.dat rename to testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gcm/test.conf rename to testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat new file mode 100644 index 0000000000..b31a468098 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf similarity index 51% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf index 653488a665..81d2c8e74a 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown plugins { eap-simaka-sql { diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf similarity index 51% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf index 653488a665..81d2c8e74a 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown plugins { eap-simaka-sql { diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat similarity index 68% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat index 6356b88474..e3d7998a95 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat +++ b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat @@ -2,9 +2,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan +moon::ipsec start +carol::ipsec start moon::expect-connection rw-eap carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ntru-psk/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-dynamic/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/description.txt rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf similarity index 90% rename from testing/tests/swanctl/rw-eap-md5-rsa/test.conf rename to testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf index 97b89cb611..e093d43d83 100644 --- a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf +++ b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/description.txt rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/test.conf rename to testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf diff --git a/testing/tests/ikev2/rw-ntru-psk/description.txt b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/description.txt rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt diff --git a/testing/tests/ikev2/rw-ntru-psk/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-whitelist/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat diff --git a/testing/tests/ikev2/lookip/test.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf similarity index 100% rename from testing/tests/ikev2/lookip/test.conf rename to testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf diff --git a/testing/tests/ikev2/rw-psk-no-idr/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/description.txt rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat old mode 100755 new mode 100644 similarity index 52% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat index 3d37a86e52..ee5bc7c721 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat +++ b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-psk-fqdn/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf old mode 100755 new mode 100644 similarity index 91% rename from testing/tests/swanctl/rw-psk-fqdn/test.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf index 1227b9d1c0..f292988506 --- a/testing/tests/swanctl/rw-psk-fqdn/test.conf +++ b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/description.txt rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat diff --git a/testing/tests/swanctl/rw-psk-ipv4/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf old mode 100755 new mode 100644 similarity index 91% rename from testing/tests/swanctl/rw-psk-ipv4/test.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf index 1227b9d1c0..f292988506 --- a/testing/tests/swanctl/rw-psk-ipv4/test.conf +++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-rsa-split/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/description.txt rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat similarity index 84% rename from testing/tests/ikev1/dynamic-two-peers/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat index 119c8e45a6..1865a1c60e 100644 --- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat @@ -1,7 +1,6 @@ +moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::ipsec stop -moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat diff --git a/testing/tests/swanctl/rw-psk-ppk/test.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf old mode 100755 new mode 100644 similarity index 91% rename from testing/tests/swanctl/rw-psk-ppk/test.conf rename to testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf index 1227b9d1c0..f292988506 --- a/testing/tests/swanctl/rw-psk-ppk/test.conf +++ b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/rw-radius-accounting/description.txt b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/description.txt rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/test.conf rename to testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/description.txt rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat similarity index 84% rename from testing/tests/ikev2/dynamic-two-peers/posttest.dat rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat index 119c8e45a6..1865a1c60e 100644 --- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat @@ -1,7 +1,6 @@ +moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::ipsec stop -moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/test.conf rename to testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt similarity index 100% rename from testing/tests/ikev2/rw-whitelist/description.txt rename to testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-whitelist/evaltest.dat rename to testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat new file mode 100644 index 0000000000..b757d8b152 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-whitelist/pretest.dat rename to testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat diff --git a/testing/tests/ikev2/rw-ntru-psk/test.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf similarity index 100% rename from testing/tests/ikev2/rw-ntru-psk/test.conf rename to testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2-stroke-bye/trap-any/description.txt similarity index 100% rename from testing/tests/ikev2/trap-any/description.txt rename to testing/tests/ikev2-stroke-bye/trap-any/description.txt diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat similarity index 100% rename from testing/tests/ikev2/trap-any/evaltest.dat rename to testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2-stroke-bye/trap-any/posttest.dat similarity index 100% rename from testing/tests/ikev2/trap-any/posttest.dat rename to testing/tests/ikev2-stroke-bye/trap-any/posttest.dat diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2-stroke-bye/trap-any/pretest.dat similarity index 100% rename from testing/tests/ikev2/trap-any/pretest.dat rename to testing/tests/ikev2-stroke-bye/trap-any/pretest.dat diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2-stroke-bye/trap-any/test.conf similarity index 100% rename from testing/tests/ikev2/trap-any/test.conf rename to testing/tests/ikev2-stroke-bye/trap-any/test.conf diff --git a/testing/tests/ikev2/virtual-ip-override/description.txt b/testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/description.txt rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/evaltest.dat rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat new file mode 100644 index 0000000000..bdbe341dd3 --- /dev/null +++ b/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-carol +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/test.conf rename to testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf diff --git a/testing/tests/ikev2/wildcards/description.txt b/testing/tests/ikev2-stroke-bye/wildcards/description.txt similarity index 100% rename from testing/tests/ikev2/wildcards/description.txt rename to testing/tests/ikev2-stroke-bye/wildcards/description.txt diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat similarity index 100% rename from testing/tests/ikev2/wildcards/evaltest.dat rename to testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/wildcards/posttest.dat b/testing/tests/ikev2-stroke-bye/wildcards/posttest.dat similarity index 100% rename from testing/tests/ikev2/wildcards/posttest.dat rename to testing/tests/ikev2-stroke-bye/wildcards/posttest.dat diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2-stroke-bye/wildcards/pretest.dat similarity index 100% rename from testing/tests/ikev2/wildcards/pretest.dat rename to testing/tests/ikev2-stroke-bye/wildcards/pretest.dat diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2-stroke-bye/wildcards/test.conf similarity index 100% rename from testing/tests/ikev1/multi-level-ca-cr-init/test.conf rename to testing/tests/ikev2-stroke-bye/wildcards/test.conf diff --git a/testing/tests/ikev2-stroke/.gitignore b/testing/tests/ikev2-stroke/.gitignore new file mode 100644 index 0000000000..f8443fea46 --- /dev/null +++ b/testing/tests/ikev2-stroke/.gitignore @@ -0,0 +1,4 @@ +*.crl +*.der +*.p12 +*.pem diff --git a/testing/tests/ikev2/config-payload-swapped/description.txt b/testing/tests/ikev2-stroke/config-payload-swapped/description.txt similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/description.txt rename to testing/tests/ikev2-stroke/config-payload-swapped/description.txt diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/evaltest.dat similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/evaltest.dat rename to testing/tests/ikev2-stroke/config-payload-swapped/evaltest.dat diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload-swapped/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat b/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat new file mode 100644 index 0000000000..bdbe341dd3 --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload-swapped/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-carol +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2-stroke/config-payload-swapped/test.conf similarity index 100% rename from testing/tests/ikev2/rw-whitelist/test.conf rename to testing/tests/ikev2-stroke/config-payload-swapped/test.conf diff --git a/testing/tests/ikev2-stroke/config-payload/description.txt b/testing/tests/ikev2-stroke/config-payload/description.txt new file mode 100644 index 0000000000..d0a1f02cde --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload by using the leftsourceip=%config parameter. +moon explicitly assigns a specific virtual IP to each of the two clients. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2-stroke/config-payload/evaltest.dat b/testing/tests/ikev2-stroke/config-payload/evaltest.dat new file mode 100644 index 0000000000..9471f88464 --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/evaltest.dat @@ -0,0 +1,26 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf similarity index 92% rename from testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf index af5fa19ef1..0fbefa3fc2 100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..b8817fe134 --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev2-stroke/config-payload/posttest.dat b/testing/tests/ikev2-stroke/config-payload/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/config-payload/pretest.dat b/testing/tests/ikev2-stroke/config-payload/pretest.dat new file mode 100644 index 0000000000..bdbe341dd3 --- /dev/null +++ b/testing/tests/ikev2-stroke/config-payload/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-carol +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2-stroke/config-payload/test.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/test.conf rename to testing/tests/ikev2-stroke/config-payload/test.conf diff --git a/testing/tests/ikev2-stroke/host2host-cert/description.txt b/testing/tests/ikev2-stroke/host2host-cert/description.txt new file mode 100644 index 0000000000..876aa79808 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat b/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat new file mode 100644 index 0000000000..e0c40ba4dc --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-cert/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke/host2host-cert/posttest.dat b/testing/tests/ikev2-stroke/host2host-cert/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-cert/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/host2host-cert/pretest.dat b/testing/tests/ikev2-stroke/host2host-cert/pretest.dat new file mode 100644 index 0000000000..36a8423217 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::ipsec start +moon::ipsec start +sun::expect-connection host-host +moon::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/ikev2-stroke/host2host-cert/test.conf old mode 100755 new mode 100644 similarity index 90% rename from testing/tests/swanctl/host2host-cert/test.conf rename to testing/tests/ikev2-stroke/host2host-cert/test.conf index 52d886dcce..55d6e9fd6a --- a/testing/tests/swanctl/host2host-cert/test.conf +++ b/testing/tests/ikev2-stroke/host2host-cert/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/host2host-swapped/description.txt b/testing/tests/ikev2-stroke/host2host-swapped/description.txt similarity index 100% rename from testing/tests/ikev2/host2host-swapped/description.txt rename to testing/tests/ikev2-stroke/host2host-swapped/description.txt diff --git a/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat b/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat new file mode 100644 index 0000000000..e0c40ba4dc --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-swapped/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat b/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-swapped/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat b/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat new file mode 100644 index 0000000000..36a8423217 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-swapped/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::ipsec start +moon::ipsec start +sun::expect-connection host-host +moon::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2-stroke/host2host-swapped/test.conf similarity index 78% rename from testing/tests/ikev2/multi-level-ca-revoked/test.conf rename to testing/tests/ikev2-stroke/host2host-swapped/test.conf index 892f51cd93..55d6e9fd6a 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf +++ b/testing/tests/ikev2-stroke/host2host-swapped/test.conf @@ -5,17 +5,17 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon carol winnetou" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # -DIAGRAM="m-c-w.png" - +DIAGRAM="m-w-s.png" + # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="" +TCPDUMPHOSTS="sun" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2-stroke/host2host-transport/description.txt b/testing/tests/ikev2-stroke/host2host-transport/description.txt new file mode 100644 index 0000000000..fe3482c96f --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/description.txt @@ -0,0 +1,4 @@ +An IPsec transport-mode connection between the hosts moon and sun is +successfully set up. leftfirewall=yes automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +moon pings sun. diff --git a/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat b/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat new file mode 100644 index 0000000000..98251d12a3 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2-stroke/host2host-transport/posttest.dat b/testing/tests/ikev2-stroke/host2host-transport/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/host2host-transport/pretest.dat b/testing/tests/ikev2-stroke/host2host-transport/pretest.dat new file mode 100644 index 0000000000..36a8423217 --- /dev/null +++ b/testing/tests/ikev2-stroke/host2host-transport/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::ipsec start +moon::ipsec start +sun::expect-connection host-host +moon::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ikev2/multi-level-ca-skipped/test.conf b/testing/tests/ikev2-stroke/host2host-transport/test.conf similarity index 78% rename from testing/tests/ikev2/multi-level-ca-skipped/test.conf rename to testing/tests/ikev2-stroke/host2host-transport/test.conf index 892f51cd93..5a286c84fe 100644 --- a/testing/tests/ikev2/multi-level-ca-skipped/test.conf +++ b/testing/tests/ikev2-stroke/host2host-transport/test.conf @@ -5,17 +5,17 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon carol winnetou" - +VIRTHOSTS="moon winnetou sun" + # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="m-w-s.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="" +TCPDUMPHOSTS="sun" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2-stroke/ip-pool-db/description.txt b/testing/tests/ikev2-stroke/ip-pool-db/description.txt new file mode 100644 index 0000000000..739134460c --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload by using the leftsourceip=%config parameter. moon assigns virtual IP +addresses from a pool named bigpool that was created in an SQL database by the command +ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat b/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat new file mode 100644 index 0000000000..925e9a12f8 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/evaltest.dat @@ -0,0 +1,38 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES +moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES +moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..0fbefa3fc2 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..c22405914f --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat b/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat new file mode 100644 index 0000000000..37436a3d9f --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/posttest.dat @@ -0,0 +1,9 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ipsec pool --del bigpool 2> /dev/null +moon::ipsec pool --del dns 2> /dev/null +moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat b/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat new file mode 100644 index 0000000000..c422045925 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/pretest.dat @@ -0,0 +1,17 @@ +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/ip-pool-db/test.conf b/testing/tests/ikev2-stroke/ip-pool-db/test.conf new file mode 100644 index 0000000000..31820ea1a6 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool-db/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/swanctl/rw-dnssec/description.txt b/testing/tests/ikev2-stroke/ip-pool/description.txt similarity index 55% rename from testing/tests/swanctl/rw-dnssec/description.txt rename to testing/tests/ikev2-stroke/ip-pool/description.txt index 0135f078c6..6dbf1b2605 100644 --- a/testing/tests/swanctl/rw-dnssec/description.txt +++ b/testing/tests/ikev2-stroke/ip-pool/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -The authentication is based on trustworthy public keys stored as IPSECKEY -resource records in the Domain Name System (DNS) and protected by DNSSEC. -

Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. leftfirewall=yes automatically +by using the leftsourceip=%config parameter. moon assigns virtual IP addresses +from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +increasing order. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client alice behind the gateway -moon. The source IP addresses of the two pings will be the virtual IPs carol1 -and dave1, respectively. +moon. The source IP addresses of the two pings will be the virtual IPs 10.3.0.1 +and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2-stroke/ip-pool/evaltest.dat b/testing/tests/ikev2-stroke/ip-pool/evaltest.dat new file mode 100644 index 0000000000..7de59030c7 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool/evaltest.dat @@ -0,0 +1,30 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke/ip-pool/posttest.dat b/testing/tests/ikev2-stroke/ip-pool/posttest.dat new file mode 100644 index 0000000000..b757d8b152 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-pool/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2-stroke/ip-pool/pretest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip/pretest.dat rename to testing/tests/ikev2-stroke/ip-pool/pretest.dat diff --git a/testing/tests/swanctl/rw-dnssec/test.conf b/testing/tests/ikev2-stroke/ip-pool/test.conf similarity index 91% rename from testing/tests/swanctl/rw-dnssec/test.conf rename to testing/tests/ikev2-stroke/ip-pool/test.conf index a542d037ed..164b07ff97 100644 --- a/testing/tests/swanctl/rw-dnssec/test.conf +++ b/testing/tests/ikev2-stroke/ip-pool/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/ikev2-stroke/ip-two-pools-db/description.txt old mode 100755 new mode 100644 similarity index 53% rename from testing/tests/swanctl/ip-two-pools-db/description.txt rename to testing/tests/ikev2-stroke/ip-two-pools-db/description.txt index 4bad7b1b72..188b4349e2 --- a/testing/tests/swanctl/ip-two-pools-db/description.txt +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/description.txt @@ -1,14 +1,14 @@ The hosts alice, venus, carol, and dave set up tunnel connections -to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP -from gateway moon which assigns virtual IP addresses from a pool named extpool -[10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual -IP addresses from a pool named intpool [10.4.0.1..10.4.1.244] to hosts connecting to -the eth1 (PH_IP_MOON1) interface. +to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP +with the leftsourceip=%config parameter. Gateway moon assigns virtual +IP addresses from a pool named extpool [10.3.0.1..10.3.1.244] to hosts connecting +to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a pool named intpool +[10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, respectively. -

-By defining the composite traffic selector 10.3.0.0/16,10.4.0.0/16, each of the four +

+By defining the composite IPsec SA: rightsubnet=10.3.0.0/16,10.4.0.0/16, each of the four spokes can securely reach any other spoke via the central hub moon. This is demonstrated by alice and dave pinging the assigned virtual IP addresses of carol and venus. diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat new file mode 100644 index 0000000000..cf7ce20f98 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/evaltest.dat @@ -0,0 +1,43 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES +venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES +moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES +moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES +venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES +alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES +venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f0b74a7431 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..1664d55aa3 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf new file mode 100644 index 0000000000..729db45267 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat old mode 100755 new mode 100644 similarity index 81% rename from testing/tests/swanctl/ip-two-pools-db/posttest.dat rename to testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat index 526a1321b0..dd4abebadf --- a/testing/tests/swanctl/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/posttest.dat @@ -1,13 +1,13 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -alice::systemctl stop strongswan -venus::systemctl stop strongswan -moon::systemctl stop strongswan +alice::ipsec stop +venus::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -alice::iptables-restore < /etc/iptables.flush -venus::iptables-restore < /etc/iptables.flush moon::ip route del 10.3.0.0/16 via PH_IP_MOON moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 moon::ipsec pool --del extpool 2> /dev/null @@ -15,4 +15,3 @@ moon::ipsec pool --del intpool 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null - diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat old mode 100755 new mode 100644 similarity index 75% rename from testing/tests/swanctl/ip-two-pools-db/pretest.dat rename to testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat index bddc456c01..927de7d812 --- a/testing/tests/swanctl/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/pretest.dat @@ -8,23 +8,23 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu moon::ipsec pool --statusattr 2> /dev/null moon::ip route add 10.3.0.0/16 via PH_IP_MOON moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::iptables-restore < /etc/iptables.rules -venus::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -alice::systemctl start strongswan -venus::systemctl start strongswan +moon::ipsec start +alice::ipsec start +venus::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection int moon::expect-connection ext carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home alice::expect-connection home -alice::swanctl --initiate --child home 2> /dev/null +alice::ipsec up home venus::expect-connection home -venus::swanctl --initiate --child home 2> /dev/null +venus::ipsec up home diff --git a/testing/tests/swanctl/ip-two-pools-db/test.conf b/testing/tests/ikev2-stroke/ip-two-pools-db/test.conf old mode 100755 new mode 100644 similarity index 92% rename from testing/tests/swanctl/ip-two-pools-db/test.conf rename to testing/tests/ikev2-stroke/ip-two-pools-db/test.conf index 9394e0289a..167c75d9dc --- a/testing/tests/swanctl/ip-two-pools-db/test.conf +++ b/testing/tests/ikev2-stroke/ip-two-pools-db/test.conf @@ -23,7 +23,3 @@ IPSECHOSTS="alice venus moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2-stroke/ip-two-pools/description.txt b/testing/tests/ikev2-stroke/ip-two-pools/description.txt new file mode 100644 index 0000000000..45b84f135d --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/description.txt @@ -0,0 +1,9 @@ +The hosts alice and carol set up a tunnel connection each to gateway moon. +Both hosts request a virtual IP via the IKEv2 configuration payload by using the +leftsourceip=%config parameter. Gateway moon assigns virtual IP +addresses from a simple pool defined by rightsourceip=10.3.0.0/28 to hosts connecting +to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined +by rightsourceip=10.4.0.0/28 to hosts connecting to the eth1 (PH_IP_MOON1) interface. +

+Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +both ping the gateway moon. diff --git a/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat b/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat new file mode 100644 index 0000000000..b620538d5f --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/evaltest.dat @@ -0,0 +1,22 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES +moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..952df5e67a --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf similarity index 89% rename from testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf index 14cd6e43c6..93f4345989 100644 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -2,5 +2,4 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1024 } diff --git a/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat b/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat new file mode 100644 index 0000000000..e4b0436960 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/posttest.dat @@ -0,0 +1,6 @@ +alice::ipsec stop +carol::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat b/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat new file mode 100644 index 0000000000..8fb8dfb24a --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +alice::ipsec start +moon::expect-connection int +moon::expect-connection ext +carol::expect-connection home +carol::ipsec up home +alice::expect-connection home +alice::ipsec up home diff --git a/testing/tests/ikev2-stroke/ip-two-pools/test.conf b/testing/tests/ikev2-stroke/ip-two-pools/test.conf new file mode 100644 index 0000000000..1ed3473ab0 --- /dev/null +++ b/testing/tests/ikev2-stroke/ip-two-pools/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol" diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/ikev2-stroke/nat-rw-psk/description.txt similarity index 58% rename from testing/tests/swanctl/nat-rw-psk/description.txt rename to testing/tests/ikev2-stroke/nat-rw-psk/description.txt index 7754c7f395..c92573d72d 100644 --- a/testing/tests/swanctl/nat-rw-psk/description.txt +++ b/testing/tests/ikev2-stroke/nat-rw-psk/description.txt @@ -2,7 +2,6 @@ The roadwarriors alice and venus sitting behind the NAT router tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun.

-Upon the successful establishment of the IPsec tunnels, the updown script automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test the tunnel, the NAT-ed hosts alice and venus -ping the client bob behind the gateway sun. +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, +the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat new file mode 100644 index 0000000000..fbcb631ff0 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw-psk/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES +sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 0000000000..f6cb39c781 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..f6cb39c781 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 0000000000..f6cb39c781 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat similarity index 62% rename from testing/tests/swanctl/nat-rw/posttest.dat rename to testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat index 5f390cd62c..bc7d237710 100644 --- a/testing/tests/swanctl/nat-rw/posttest.dat +++ b/testing/tests/ikev2-stroke/nat-rw-psk/posttest.dat @@ -1,6 +1,6 @@ -sun::systemctl stop strongswan -alice::systemctl stop strongswan -venus::systemctl stop strongswan +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat similarity index 57% rename from testing/tests/swanctl/nat-rw-psk/pretest.dat rename to testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat index 105c42fa52..1798d27b5a 100644 --- a/testing/tests/swanctl/nat-rw-psk/pretest.dat +++ b/testing/tests/ikev2-stroke/nat-rw-psk/pretest.dat @@ -1,16 +1,16 @@ alice::iptables-restore < /etc/iptables.rules venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/* -venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/* -sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/* moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::systemctl start strongswan -alice::systemctl start strongswan -venus::systemctl start strongswan +alice::rm /etc/ipsec.d/cacerts/* +venus::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +sun::ipsec start +alice::ipsec start +venus::ipsec start sun::expect-connection nat-t alice::expect-connection nat-t -alice::swanctl --initiate --child nat-t +alice::ipsec up nat-t venus::expect-connection nat-t -venus::swanctl --initiate --child nat-t +venus::ipsec up nat-t diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/ikev2-stroke/nat-rw-psk/test.conf similarity index 91% rename from testing/tests/swanctl/nat-rw/test.conf rename to testing/tests/ikev2-stroke/nat-rw-psk/test.conf index ecc95b8375..f515d4bc73 100644 --- a/testing/tests/swanctl/nat-rw/test.conf +++ b/testing/tests/ikev2-stroke/nat-rw-psk/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/ikev2-stroke/nat-rw/description.txt similarity index 55% rename from testing/tests/swanctl/nat-rw/description.txt rename to testing/tests/ikev2-stroke/nat-rw/description.txt index 1ee91b74dd..e657389c93 100644 --- a/testing/tests/swanctl/nat-rw/description.txt +++ b/testing/tests/ikev2-stroke/nat-rw/description.txt @@ -2,7 +2,6 @@ The roadwarriors alice and venus sitting behind the NAT router tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Authentication is based on X.509 certificates.

-Upon the successful establishment of the IPsec tunnels, the updown script automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test the tunnel, the NAT-ed hosts alice and venus -ping the client bob behind the gateway sun. +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, +the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2-stroke/nat-rw/evaltest.dat b/testing/tests/ikev2-stroke/nat-rw/evaltest.dat new file mode 100644 index 0000000000..2d265b0d13 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/ipsec.conf diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf similarity index 89% rename from testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf index 55a6df151f..9d07c88e40 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf @@ -2,5 +2,6 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes + + keep_alive = 5 } diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf similarity index 89% rename from testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf index 14cd6e43c6..93f4345989 100644 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf @@ -2,5 +2,4 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1024 } diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 0000000000..9d07c88e40 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev2-stroke/nat-rw/posttest.dat b/testing/tests/ikev2-stroke/nat-rw/posttest.dat new file mode 100644 index 0000000000..bc7d237710 --- /dev/null +++ b/testing/tests/ikev2-stroke/nat-rw/posttest.dat @@ -0,0 +1,7 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2-stroke/nat-rw/pretest.dat similarity index 63% rename from testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat rename to testing/tests/ikev2-stroke/nat-rw/pretest.dat index 928a954a87..36d23b5704 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/ikev2-stroke/nat-rw/pretest.dat @@ -1,11 +1,13 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::systemctl start strongswan -alice::systemctl start strongswan -venus::systemctl start strongswan +sun::ipsec start +alice::ipsec start +venus::ipsec start sun::expect-connection nat-t alice::expect-connection nat-t +alice::ipsec up nat-t venus::expect-connection nat-t -alice::swanctl --initiate --child nat-t 2> /dev/null -venus::swanctl --initiate --child nat-t 2> /dev/null +venus::ipsec up nat-t diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2-stroke/nat-rw/test.conf similarity index 86% rename from testing/tests/swanctl/shunt-policies-nat-rw/test.conf rename to testing/tests/ikev2-stroke/nat-rw/test.conf index 34b0ba1655..f515d4bc73 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf +++ b/testing/tests/ikev2-stroke/nat-rw/test.conf @@ -13,13 +13,9 @@ DIAGRAM="a-v-m-w-s-b.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="alice moon" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-cert/description.txt b/testing/tests/ikev2-stroke/net2net-cert/description.txt old mode 100755 new mode 100644 similarity index 66% rename from testing/tests/swanctl/net2net-cert/description.txt rename to testing/tests/ikev2-stroke/net2net-cert/description.txt index 345769a5f4..1617634147 --- a/testing/tests/swanctl/net2net-cert/description.txt +++ b/testing/tests/ikev2-stroke/net2net-cert/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, the updown script automatically +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat b/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat new file mode 100644 index 0000000000..fe4aa5ab10 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-cert/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..2cb7f03e01 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no + signature_authentication = no +} diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..2cb7f03e01 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no + signature_authentication = no +} diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat b/testing/tests/ikev2-stroke/net2net-cert/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat rename to testing/tests/ikev2-stroke/net2net-cert/posttest.dat diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2-stroke/net2net-cert/pretest.dat similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat rename to testing/tests/ikev2-stroke/net2net-cert/pretest.dat diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2-stroke/net2net-cert/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-bandwidth/test.conf rename to testing/tests/ikev2-stroke/net2net-cert/test.conf diff --git a/testing/tests/ikev2/net2net-fragmentation/description.txt b/testing/tests/ikev2-stroke/net2net-psk/description.txt similarity index 66% rename from testing/tests/ikev2/net2net-fragmentation/description.txt rename to testing/tests/ikev2-stroke/net2net-psk/description.txt index 1f63c96382..07320d7313 100644 --- a/testing/tests/ikev2/net2net-fragmentation/description.txt +++ b/testing/tests/ikev2-stroke/net2net-psk/description.txt @@ -1,7 +1,5 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates. The IKEv2 fragmentation protocol -defined in RFC 7383 prevents the IP fragmentation of the IKEv2 messages carrying the -large X.509 certificates. +The authentication is based on Preshared Keys (PSK).

Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat b/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat new file mode 100644 index 0000000000..fe4aa5ab10 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-psk/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..1188d686d9 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..1188d686d9 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2-stroke/net2net-psk/posttest.dat b/testing/tests/ikev2-stroke/net2net-psk/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-psk/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-rekey/pretest.dat b/testing/tests/ikev2-stroke/net2net-psk/pretest.dat similarity index 76% rename from testing/tests/ikev2/net2net-rekey/pretest.dat rename to testing/tests/ikev2-stroke/net2net-psk/pretest.dat index bcc2cb04d8..c7e2c61623 100644 --- a/testing/tests/ikev2/net2net-rekey/pretest.dat +++ b/testing/tests/ikev2-stroke/net2net-psk/pretest.dat @@ -1,5 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* sun::ipsec start moon::ipsec start sun::expect-connection net-net diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2-stroke/net2net-psk/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-rsa/test.conf rename to testing/tests/ikev2-stroke/net2net-psk/test.conf diff --git a/testing/tests/swanctl/net2net-route/description.txt b/testing/tests/ikev2-stroke/net2net-route/description.txt old mode 100755 new mode 100644 similarity index 86% rename from testing/tests/swanctl/net2net-route/description.txt rename to testing/tests/ikev2-stroke/net2net-route/description.txt index 20640ef85a..323f09555a --- a/testing/tests/swanctl/net2net-route/description.txt +++ b/testing/tests/ikev2-stroke/net2net-route/description.txt @@ -5,5 +5,5 @@ A subsequent ping issued by client alice behind gateway moon to bob located behind gateway sun triggers the %trap eroute and leads to the automatic establishment of the subnet-to-subnet tunnel.

-The updown script automatically inserts iptables-based firewall rules +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2-stroke/net2net-route/evaltest.dat b/testing/tests/ikev2-stroke/net2net-route/evaltest.dat new file mode 100644 index 0000000000..3b247fd6c5 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-route/evaltest.dat @@ -0,0 +1,8 @@ +moon:: cat /var/log/daemon.log::creating acquire job::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2-stroke/net2net-route/posttest.dat b/testing/tests/ikev2-stroke/net2net-route/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-route/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2-stroke/net2net-route/pretest.dat similarity index 82% rename from testing/tests/ikev2/net2net-ntru-cert/pretest.dat rename to testing/tests/ikev2-stroke/net2net-route/pretest.dat index bcc2cb04d8..57dc45f996 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat +++ b/testing/tests/ikev2-stroke/net2net-route/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start moon::ipsec start -sun::expect-connection net-net +sun::ipsec start moon::expect-connection net-net -moon::ipsec up net-net +sun::expect-connection net-net +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/ikev2/net2net-ntru-cert/test.conf b/testing/tests/ikev2-stroke/net2net-route/test.conf similarity index 100% rename from testing/tests/ikev2/net2net-ntru-cert/test.conf rename to testing/tests/ikev2-stroke/net2net-route/test.conf diff --git a/testing/tests/ikev2/net2net-rsa/.gitignore b/testing/tests/ikev2-stroke/net2net-rsa/.gitignore similarity index 100% rename from testing/tests/ikev2/net2net-rsa/.gitignore rename to testing/tests/ikev2-stroke/net2net-rsa/.gitignore diff --git a/testing/tests/ikev2/net2net-rsa/description.txt b/testing/tests/ikev2-stroke/net2net-rsa/description.txt similarity index 100% rename from testing/tests/ikev2/net2net-rsa/description.txt rename to testing/tests/ikev2-stroke/net2net-rsa/description.txt diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2-stroke/net2net-rsa/evaltest.dat similarity index 100% rename from testing/tests/ikev2/net2net-rsa/evaltest.dat rename to testing/tests/ikev2-stroke/net2net-rsa/evaltest.dat diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf.in b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.conf.in similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf.in rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.conf.in diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf.in b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.conf.in similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf.in rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.conf.in diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2-stroke/net2net-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/net2net-rsa/posttest.dat rename to testing/tests/ikev2-stroke/net2net-rsa/posttest.dat diff --git a/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat b/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat new file mode 100644 index 0000000000..c7e2c61623 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +sun::ipsec start +moon::ipsec start +sun::expect-connection net-net +moon::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/swanctl/net2net-pubkey/test.conf b/testing/tests/ikev2-stroke/net2net-rsa/test.conf similarity index 90% rename from testing/tests/swanctl/net2net-pubkey/test.conf rename to testing/tests/ikev2-stroke/net2net-rsa/test.conf index 07a3b247a1..afa2accbec 100644 --- a/testing/tests/swanctl/net2net-pubkey/test.conf +++ b/testing/tests/ikev2-stroke/net2net-rsa/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-start/description.txt b/testing/tests/ikev2-stroke/net2net-start/description.txt old mode 100755 new mode 100644 similarity index 68% rename from testing/tests/swanctl/net2net-start/description.txt rename to testing/tests/ikev2-stroke/net2net-start/description.txt index 9c67ed6051..f5320685eb --- a/testing/tests/swanctl/net2net-start/description.txt +++ b/testing/tests/ikev2-stroke/net2net-start/description.txt @@ -2,5 +2,7 @@ A tunnel connecting the subnets behind the gateways moon and sun, respectively, is automatically established by means of the setting auto=start in ipsec.conf. The connection is tested by client alice behind gateway moon pinging the client bob located behind -gateway sun. The updown script automatically inserts iptables-based -firewall rules that let pass the tunneled traffic. +gateway sun. +

+leftfirewall=yes automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/ikev2-stroke/net2net-start/evaltest.dat b/testing/tests/ikev2-stroke/net2net-start/evaltest.dat new file mode 100644 index 0000000000..5c4aa85f88 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-start/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..8d89cd0bb3 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2-stroke/net2net-start/posttest.dat b/testing/tests/ikev2-stroke/net2net-start/posttest.dat new file mode 100644 index 0000000000..1f7aa73a15 --- /dev/null +++ b/testing/tests/ikev2-stroke/net2net-start/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/ikev2-stroke/net2net-start/pretest.dat old mode 100755 new mode 100644 similarity index 52% rename from testing/tests/swanctl/net2net-start/pretest.dat rename to testing/tests/ikev2-stroke/net2net-start/pretest.dat index 77a8e1a567..b3f3710416 --- a/testing/tests/swanctl/net2net-start/pretest.dat +++ b/testing/tests/ikev2-stroke/net2net-start/pretest.dat @@ -1,5 +1,5 @@ -sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::systemctl start strongswan -moon::systemctl start strongswan -moon::sleep 0.5 +sun::iptables-restore < /etc/iptables.rules +sun::ipsec start +moon::ipsec start +moon::sleep 1 diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/ikev2-stroke/net2net-start/test.conf old mode 100755 new mode 100644 similarity index 90% rename from testing/tests/swanctl/net2net-psk/test.conf rename to testing/tests/ikev2-stroke/net2net-start/test.conf index 07a3b247a1..646b8b3e64 --- a/testing/tests/swanctl/net2net-psk/test.conf +++ b/testing/tests/ikev2-stroke/net2net-start/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2-stroke/protoport-dual/description.txt b/testing/tests/ikev2-stroke/protoport-dual/description.txt new file mode 100644 index 0000000000..7bed8b9590 --- /dev/null +++ b/testing/tests/ikev2-stroke/protoport-dual/description.txt @@ -0,0 +1,6 @@ +Using the left|rightprotoport selectors, two IPsec tunnels +between the roadwarrior carol and the gateway moon are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. The established tunnels are tested +by carol by first pinging alice behind moon and +then setting up an SSH session to the same client. diff --git a/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat b/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat new file mode 100644 index 0000000000..7d367e3c15 --- /dev/null +++ b/testing/tests/ikev2-stroke/protoport-dual/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..93f4345989 --- /dev/null +++ b/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev2-stroke/protoport-dual/posttest.dat similarity index 100% rename from testing/tests/ikev1/esp-alg-null/posttest.dat rename to testing/tests/ikev2-stroke/protoport-dual/posttest.dat diff --git a/testing/tests/ikev2-stroke/protoport-dual/pretest.dat b/testing/tests/ikev2-stroke/protoport-dual/pretest.dat new file mode 100644 index 0000000000..02f4aa82be --- /dev/null +++ b/testing/tests/ikev2-stroke/protoport-dual/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-icmp +moon::expect-connection rw-ssh +carol::expect-connection home-icmp +carol::expect-connection home-ssh +carol::ipsec up home-icmp +carol::ipsec up home-ssh diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2-stroke/protoport-dual/test.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-aes-gmac/test.conf rename to testing/tests/ikev2-stroke/protoport-dual/test.conf diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/ikev2-stroke/rw-cert/description.txt old mode 100755 new mode 100644 similarity index 80% rename from testing/tests/swanctl/rw-cert/description.txt rename to testing/tests/ikev2-stroke/rw-cert/description.txt index f190c07527..15b3822b5c --- a/testing/tests/swanctl/rw-cert/description.txt +++ b/testing/tests/ikev2-stroke/rw-cert/description.txt @@ -1,7 +1,6 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -

-Upon the successful establishment of the IPsec tunnels, the updown script +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2-stroke/rw-cert/evaltest.dat b/testing/tests/ikev2-stroke/rw-cert/evaltest.dat new file mode 100644 index 0000000000..849d59a4e3 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/evaltest.dat @@ -0,0 +1,14 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..a205dc0aa6 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..a205dc0aa6 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8ecdb7183a --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev2-stroke/rw-cert/posttest.dat b/testing/tests/ikev2-stroke/rw-cert/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-cert/pretest.dat b/testing/tests/ikev2-stroke/rw-cert/pretest.dat new file mode 100644 index 0000000000..e87a8ee479 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-cert/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-newhope-bliss/test.conf b/testing/tests/ikev2-stroke/rw-cert/test.conf old mode 100755 new mode 100644 similarity index 91% rename from testing/tests/swanctl/rw-newhope-bliss/test.conf rename to testing/tests/ikev2-stroke/rw-cert/test.conf index 1227b9d1c0..f292988506 --- a/testing/tests/swanctl/rw-newhope-bliss/test.conf +++ b/testing/tests/ikev2-stroke/rw-cert/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt similarity index 87% rename from testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt index c39829dd5b..893a272303 100644 --- a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/description.txt @@ -4,7 +4,7 @@ an IKEv2 digital signature accompanied by an X.509 certificate.

Next carol uses the Authentication and Key Agreement (EAP-AKA) method of the Extensible Authentication Protocol to authenticate herself. -This EAP method used in UMTS, but here a secret defined in swanctl.conf +This EAP method used in UMTS, but here a secret defined in ipsec.secrets is used instead of a USIM/(R)UIM device.

In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat new file mode 100644 index 0000000000..25871f8930 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf similarity index 54% rename from testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf index e0561f3ffd..364b8c0fc5 100644 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..364b8c0fc5 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown +} diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-3des-md5/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/posttest.dat diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat similarity index 85% rename from testing/tests/ikev1/alg-3des-md5/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat index 6a892fedcf..1578796a1e 100644 --- a/testing/tests/ikev1/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/pretest.dat @@ -1,7 +1,7 @@ -moon::ipsec start moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::expect-connection rw +moon::ipsec start carol::ipsec start +moon::expect-connection rw-eap carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf similarity index 90% rename from testing/tests/swanctl/rw-eap-aka-rsa/test.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf index 97b89cb611..e093d43d83 100644 --- a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt similarity index 76% rename from testing/tests/swanctl/rw-eap-aka-rsa/description.txt rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt index 0138e35f5a..da5b72735e 100644 --- a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/description.txt @@ -4,5 +4,5 @@ an IKEv2 digital signature accompanied by an X.509 certificate.

Next carol uses the Authentication and Key Agreement (EAP-AKA) method of the Extensible Authentication Protocol to authenticate herself. -This EAP method used in UMTS, but here a secret defined in swanctl.conf -is used instead of a USIM/(R)UIM device. +This EAP method used in UMTS, but here a secret defined in ipsec.secrets +is used instead of a USIM/(R)UIM device. \ No newline at end of file diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat new file mode 100644 index 0000000000..795164c7f7 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/evaltest.dat @@ -0,0 +1,13 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..a919d68ec2 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + + integrity_test = yes +} diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..a919d68ec2 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + + integrity_test = yes +} diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-aes-ccm/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/posttest.dat diff --git a/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat new file mode 100644 index 0000000000..ee4673009a --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap-aka +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf similarity index 90% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf rename to testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf index 97b89cb611..e093d43d83 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-aka-rsa/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt new file mode 100644 index 0000000000..a1512ca9eb --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 RSA signature accompanied by a certificate. +carol then uses the Extensible Authentication Protocol +in association with an MD5 challenge and response protocol +(EAP-MD5) to authenticate against the gateway moon. +In addition to her IKEv2 identity carol@strongswan.org, roadwarrior +carol uses the EAP identity carol. +The user password is kept in ipsec.secrets on the client carol +and the gateway forwards all EAP messages to the RADIUS server alice. diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat new file mode 100644 index 0000000000..60a5a778dd --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default index 2057b51936..1dc69d90dc 100644 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -8,10 +8,10 @@ listen { authorize { preprocess - files eap { ok = return } + files expiration logintime } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 97% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default index dd0825858a..a67a5dcb42 100644 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,5 +1,4 @@ authorize { - suffix eap { ok = return } diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..0250ce3b12 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf similarity index 63% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf index b18ba68092..3a8d5c20c2 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown plugins { eap-radius { diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat similarity index 82% rename from testing/tests/ikev2/alg-sha512/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat index 046d4cfdc4..4361417fd1 100644 --- a/testing/tests/ikev2/alg-sha512/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/posttest.dat @@ -1,4 +1,5 @@ moon::ipsec stop carol::ipsec stop +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat new file mode 100644 index 0000000000..012323f8f4 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-md5-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf index 0d9e9f3d43..eb1e15dd25 100644 --- a/testing/tests/swanctl/rw-eap-md5-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt new file mode 100644 index 0000000000..12bdc9fdde --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 RSA signature accompanied by a certificate. +carol then uses the Extensible Authentication Protocol +in association with an MD5 challenge and response protocol +(EAP-MD5) to authenticate against the gateway moon. +The user password is kept in ipsec.secrets on the client carol +and the gateway forwards all EAP messages to the RADIUS server alice. diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat new file mode 100644 index 0000000000..f3e5aa0a1e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/evaltest.dat @@ -0,0 +1,11 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f399dfbf1e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6d37fbb9d6 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat similarity index 82% rename from testing/tests/ikev2/alg-sha256-96/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat index 046d4cfdc4..4361417fd1 100644 --- a/testing/tests/ikev2/alg-sha256-96/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/posttest.dat @@ -1,4 +1,5 @@ moon::ipsec stop carol::ipsec stop +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat new file mode 100644 index 0000000000..012323f8f4 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-sim-id-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf index 0d9e9f3d43..eb1e15dd25 100644 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-md5-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-rsa/description.txt rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat new file mode 100644 index 0000000000..d4617bf423 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f399dfbf1e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f399dfbf1e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-aes-ctr/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/posttest.dat diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat similarity index 85% rename from testing/tests/ikev1/alg-sha512/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat index e34f702774..1578796a1e 100644 --- a/testing/tests/ikev1/alg-sha512/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -moon::expect-connection rw +moon::expect-connection rw-eap carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf similarity index 90% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf index 97b89cb611..e093d43d83 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-md5-rsa/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat new file mode 100644 index 0000000000..e72426b29a --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..51eaacbe42 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..51eaacbe42 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown +} diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-aes-gcm/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/posttest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat similarity index 85% rename from testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat index e34f702774..1578796a1e 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -moon::expect-connection rw +moon::expect-connection rw-eap carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf new file mode 100644 index 0000000000..e093d43d83 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/swanctl/rw-eap-peap-md5/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-md5/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-md5/description.txt rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/description.txt diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat similarity index 54% rename from testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat index 247aabe179..c7884ee0e4 100644 --- a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/evaltest.dat @@ -10,8 +10,14 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO +moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..80cd79ed77 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..80cd79ed77 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6a81b4715e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no + + plugins { + eap-peap { + phase2_method = md5 + phase2_piggyback = yes + } + } +} diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat new file mode 100644 index 0000000000..dccf85419d --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-md5/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/description.txt diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat similarity index 55% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat index 1093e51ada..6ba3e10e90 100644 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/evaltest.dat @@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d3f333d543 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..d3f333d543 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..b694c60712 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + plugins { + eap-peap { + phase2_method = mschapv2 + } + } +} diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat new file mode 100644 index 0000000000..dccf85419d --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt new file mode 100644 index 0000000000..89db03a385 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-PEAP tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on EAP-MD5. +carol presents the correct MD5 password and succeeds whereas dave chooses the +wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat similarity index 56% rename from testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat index 291e249da9..edfb7cddda 100644 --- a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/evaltest.dat @@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf similarity index 74% rename from testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf index a3837a4ceb..c8c3f85627 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..c8c3f85627 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9681551467 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat similarity index 62% rename from testing/tests/swanctl/rw-eap-peap-radius/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat index a3aff64c3d..a6619d02bf 100644 --- a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/posttest.dat @@ -1,6 +1,6 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat new file mode 100644 index 0000000000..c98e8ed53a --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-ttls-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf index 0e5512b655..20d5863094 100644 --- a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-peap-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/description.txt rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat new file mode 100644 index 0000000000..e7d9786349 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 72% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11b..783587b556 100644 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -1,4 +1,4 @@ -realm strongswan.org { +realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf similarity index 54% rename from testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf index 369c2946fb..51614f7163 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..3a8d5c20c2 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat similarity index 82% rename from testing/tests/ikev2/alg-sha256/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat index 046d4cfdc4..4361417fd1 100644 --- a/testing/tests/ikev2/alg-sha256/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/posttest.dat @@ -1,4 +1,5 @@ moon::ipsec stop carol::ipsec stop +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat new file mode 100644 index 0000000000..53aa83f0cb --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-tls-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf index 0d9e9f3d43..eb1e15dd25 100644 --- a/testing/tests/swanctl/rw-eap-tls-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/description.txt rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat new file mode 100644 index 0000000000..8502d7a72e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 81% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default index 51b64a74b3..8d68b81fc2 100644 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,7 +1,4 @@ authorize { - preprocess - chap - mschap files suffix update reply { @@ -18,24 +15,9 @@ authorize { eap { ok = return } - unix - files - expiration - logintime - pap } authenticate { - Auth-Type PAP { - pap - } - Auth-Type CHAP { - chap - } - Auth-Type MS-CHAP { - mschap - } - unix eap } diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..195893a188 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..195893a188 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6725cf8303 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat similarity index 62% rename from testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat index a3aff64c3d..a6619d02bf 100644 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/posttest.dat @@ -1,6 +1,6 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat similarity index 52% rename from testing/tests/swanctl/rw-eap-sim-radius/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat index 867c7248c1..04b824def8 100644 --- a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/pretest.dat @@ -1,16 +1,20 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw-eap carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-sim-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-sim-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf index 93f23f1d6e..29bfaa78c9 100644 --- a/testing/tests/swanctl/rw-eap-sim-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-radius/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/description.txt rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat new file mode 100644 index 0000000000..0c9c2b4a7e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf similarity index 57% rename from testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf index cbfd676a49..e78434f8f8 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf similarity index 57% rename from testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf index 8cbe58f19a..e78434f8f8 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6d37fbb9d6 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat new file mode 100644 index 0000000000..a6619d02bf --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat similarity index 52% rename from testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat index 867c7248c1..e171997bc3 100644 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/pretest.dat @@ -1,16 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw-eap carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-sim-only-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf index 93f23f1d6e..42d23a50bb 100644 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-radius/test.conf @@ -23,7 +23,3 @@ IPSECHOSTS="moon carol dave" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-rsa/description.txt rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat new file mode 100644 index 0000000000..17e3157f87 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf similarity index 52% rename from testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index fd9bf8c7cc..e652c52d7d 100644 --- a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown - keep_alive = 5 + integrity_test = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf similarity index 52% rename from testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index fd9bf8c7cc..0015835136 100644 --- a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown - keep_alive = 5 + integrity_test = yes } + diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-aes-xcbc/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-sim-rsa/posttest.dat diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat new file mode 100644 index 0000000000..71cab1fbf0 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::cat /etc/ipsec.d/triplets.dat +carol::cat /etc/ipsec.d/triplets.dat +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap-sim +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf new file mode 100644 index 0000000000..e093d43d83 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-sim-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/swanctl/rw-eap-tls-only/description.txt b/testing/tests/ikev2-stroke/rw-eap-tls-only/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-only/description.txt rename to testing/tests/ikev2-stroke/rw-eap-tls-only/description.txt diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat new file mode 100644 index 0000000000..100919a059 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..a4e10a0318 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f7a382d9e0 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/ikev2/alg-chacha20poly1305/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/posttest.dat similarity index 100% rename from testing/tests/ikev2/alg-chacha20poly1305/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-tls-only/posttest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat similarity index 85% rename from testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat index e34f702774..1578796a1e 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-tls-only/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -moon::expect-connection rw +moon::expect-connection rw-eap carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev2-stroke/rw-eap-tls-only/test.conf similarity index 100% rename from testing/tests/ikev1/esp-alg-null/test.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-only/test.conf diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt new file mode 100644 index 0000000000..842a88c427 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 RSA signature accompanied by a certificate. +carol then uses a mutual EAP-TLS authentication based +on X.509 certificates with the remote AAA RADIUS server alice. diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat new file mode 100644 index 0000000000..36c0544193 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..b4196402dd --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..783b4c8444 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat similarity index 82% rename from testing/tests/ikev2/alg-sha384/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat index 046d4cfdc4..4361417fd1 100644 --- a/testing/tests/ikev2/alg-sha384/posttest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/posttest.dat @@ -1,4 +1,5 @@ moon::ipsec stop carol::ipsec stop +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat new file mode 100644 index 0000000000..012323f8f4 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-md5-id-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf index 0d9e9f3d43..eb1e15dd25 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-tls-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt similarity index 99% rename from testing/tests/swanctl/rw-eap-ttls-only/description.txt rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt index 19c00531e4..3d4c3ab873 100644 --- a/testing/tests/swanctl/rw-eap-ttls-only/description.txt +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/description.txt @@ -3,7 +3,7 @@ The strong mutual authentication is based on EAP-TTLS only (without a sep authentication) with the gateway being authenticated by a server certificate during the EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client authentication based on EAP-MD5 (phase2 of EAP-TTLS). -

+

With the default setting charon.plugins.eap-ttls.phase2_piggyback = no the server moon passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by sending a tunneled orphan EAP Identity response upon the reception of the server's TLS diff --git a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat similarity index 54% rename from testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat index 46d6be42a7..a4b7d58121 100644 --- a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/evaltest.dat @@ -10,8 +10,10 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..0637de363c --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..0637de363c --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..dd1524c64d --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no + + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-ttls { + phase2_method = md5 + } + } +} diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat new file mode 100644 index 0000000000..dccf85419d --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt new file mode 100644 index 0000000000..299106b32e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +carol presents the correct MD5 password and succeeds whereas dave chooses the +wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat similarity index 56% rename from testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat index df4f0d5508..4be616469d 100644 --- a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/evaltest.dat @@ -10,8 +10,12 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..443332acc2 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..443332acc2 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9681551467 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat new file mode 100644 index 0000000000..a6619d02bf --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat new file mode 100644 index 0000000000..c98e8ed53a --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-eap-peap-radius/test.conf b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf similarity index 92% rename from testing/tests/swanctl/rw-eap-peap-radius/test.conf rename to testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf index 0e5512b655..20d5863094 100644 --- a/testing/tests/swanctl/rw-eap-peap-radius/test.conf +++ b/testing/tests/ikev2-stroke/rw-eap-ttls-radius/test.conf @@ -24,6 +24,3 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt b/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt new file mode 100644 index 0000000000..47f6968ae7 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and Fully Qualified Domain Names. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat similarity index 70% rename from testing/tests/ikev2/alg-modp-subgroup/evaltest.dat rename to testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat index 8bcba9a3a5..a5aa06be28 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/evaltest.dat @@ -1,15 +1,12 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES -dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat old mode 100755 new mode 100644 similarity index 52% rename from testing/tests/swanctl/rw-hash-and-url/pretest.dat rename to testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat index 3d37a86e52..ee5bc7c721 --- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::ipsec up home dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf b/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-fqdn/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt b/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt new file mode 100644 index 0000000000..b4aaa6a6a7 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat new file mode 100644 index 0000000000..0c8c311ae8 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..9555143918 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat new file mode 100644 index 0000000000..ee5bc7c721 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf b/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2-stroke/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/virtual-ip/description.txt b/testing/tests/ikev2-stroke/virtual-ip/description.txt similarity index 100% rename from testing/tests/ikev2/virtual-ip/description.txt rename to testing/tests/ikev2-stroke/virtual-ip/description.txt diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke/virtual-ip/evaltest.dat similarity index 100% rename from testing/tests/ikev2/virtual-ip/evaltest.dat rename to testing/tests/ikev2-stroke/virtual-ip/evaltest.dat diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..93f4345989 --- /dev/null +++ b/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..93f4345989 --- /dev/null +++ b/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2-stroke/virtual-ip/posttest.dat b/testing/tests/ikev2-stroke/virtual-ip/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2-stroke/virtual-ip/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke/virtual-ip/pretest.dat b/testing/tests/ikev2-stroke/virtual-ip/pretest.dat new file mode 100644 index 0000000000..e87a8ee479 --- /dev/null +++ b/testing/tests/ikev2-stroke/virtual-ip/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/swanctl/rw-ntru-bliss/test.conf b/testing/tests/ikev2-stroke/virtual-ip/test.conf similarity index 91% rename from testing/tests/swanctl/rw-ntru-bliss/test.conf rename to testing/tests/ikev2-stroke/virtual-ip/test.conf index a542d037ed..164b07ff97 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/test.conf +++ b/testing/tests/ikev2-stroke/virtual-ip/test.conf @@ -19,7 +19,3 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/ikev2/acert-cached/description.txt b/testing/tests/ikev2/acert-cached/description.txt old mode 100644 new mode 100755 index 42f7432bcc..d2bd6b5895 --- a/testing/tests/ikev2/acert-cached/description.txt +++ b/testing/tests/ikev2/acert-cached/description.txt @@ -1,11 +1,11 @@ -

The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. To authorize clients, moon uses locally cached attribute certificates. While for carol a valid attribute certificate for the group sales is available, dave's attribute certificates are either expired or -do not grant permissions for the sales group.

-

Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave try -to ping the client alice behind the gateway moon, but dave fails -to do so.

+do not grant permissions for the sales group. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test both tunnel and firewall, both carol +and dave try to ping the client alice behind the gateway moon, +but dave fails to do so. diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat old mode 100644 new mode 100755 index 6d6b1d9121..c304d8a649 --- a/testing/tests/ikev2/acert-cached/evaltest.dat +++ b/testing/tests/ikev2/acert-cached/evaltest.dat @@ -1,7 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*home.*state=INSTALLED.*::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*state=INSTALLED::NO moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f1c4ba6e87 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7fcdea8349 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fbffbad621..0000000000 --- a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - rightgroups=sales - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 6276b14eeb..258d5559f4 --- a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5eb12bf6ae --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + groups = sales + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat old mode 100644 new mode 100755 index 43c69597c2..4055bc8261 --- a/testing/tests/ikev2/acert-cached/posttest.dat +++ b/testing/tests/ikev2/acert-cached/posttest.dat @@ -1,11 +1,7 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::cd /etc/swanctl; rm rsa/* x509aa/* x509ac/* moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem -moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem -moon::rm /etc/ipsec.d/acerts/dave-marketing.pem -moon::rm /etc/ipsec.d/private/aaKey.pem -moon::rm /etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev2/acert-cached/pretest.dat +++ b/testing/tests/ikev2/acert-cached/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/acert-cached/test.conf b/testing/tests/ikev2/acert-cached/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/acert-cached/test.conf +++ b/testing/tests/ikev2/acert-cached/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/acert-fallback/description.txt b/testing/tests/ikev2/acert-fallback/description.txt index 0008b105a9..ac9914fed6 100644 --- a/testing/tests/ikev2/acert-fallback/description.txt +++ b/testing/tests/ikev2/acert-fallback/description.txt @@ -5,7 +5,7 @@ The authentication is based on X.509 certificates. To authorize clients, the finance groups. The attribute certificate for finance is not valid anymore, hence carol gets access to the sales connection only.

-

Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +

Upon the successful establishment of the IPsec tunnel, the updown-script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol tries to ping both alice and venus, but only the ping for the sales related diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat index 8c4e9e2fc2..0b48edef24 100644 --- a/testing/tests/ikev2/acert-fallback/evaltest.dat +++ b/testing/tests/ikev2/acert-fallback/evaltest.dat @@ -1,6 +1,5 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO -moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.100/32]::YES moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf index af5fa19ef1..ba2c31e550 100644 --- a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..07e4050666 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 37e779fef0..0000000000 --- a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn finance - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.10/32 - leftfirewall=yes - right=%any - rightid=*@strongswan.org - rightgroups=finance - keyexchange=ikev2 - auto=add - -conn sales - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.20/32 - leftfirewall=yes - right=%any - rightgroups=sales - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf index 6276b14eeb..78647e4c23 100644 --- a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 acert curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..decd9cb531 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,46 @@ +connections { + + finance { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + groups = finance + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + sales { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + groups = sales + } + children { + venus { + esp_proposals = aes128gcm128-x25519 + local_ts = 10.1.0.20/32 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat index b90119c6be..689d904dbc 100644 --- a/testing/tests/ikev2/acert-fallback/posttest.dat +++ b/testing/tests/ikev2/acert-fallback/posttest.dat @@ -1,8 +1,4 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -carol::rm /etc/ipsec.d/acerts/carol-sales.pem -carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem -moon::rm /etc/ipsec.d/private/aaKey.pem -moon::rm /etc/ipsec.d/aacerts/aaCert.pem +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::cd /etc/swanctl; rm rsa/* x509aa/* +carol:: rm /etc/swanctl/x509ac/* diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat index 084516aa28..9a9d9c87e1 100644 --- a/testing/tests/ikev2/acert-fallback/pretest.dat +++ b/testing/tests/ikev2/acert-fallback/pretest.dat @@ -1,8 +1,6 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection finance moon::expect-connection sales carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/acert-fallback/test.conf b/testing/tests/ikev2/acert-fallback/test.conf index a6c21de09b..65dc353745 100644 --- a/testing/tests/ikev2/acert-fallback/test.conf +++ b/testing/tests/ikev2/acert-fallback/test.conf @@ -5,17 +5,20 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice venus moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-v-m-c-w-d.png" +DIAGRAM="m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/acert-inline/description.txt b/testing/tests/ikev2/acert-inline/description.txt old mode 100644 new mode 100755 index 948b847253..d2bd6b5895 --- a/testing/tests/ikev2/acert-inline/description.txt +++ b/testing/tests/ikev2/acert-inline/description.txt @@ -1,12 +1,11 @@ -

The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -To authorize clients, moon expects attribute certificates sent inline in -IKEv2 CERT payloads. Carol provides a valid attribute certificate for -the group sales, but dave offers two invalid attribute -certificates: One is not for the sales group, and the other is issued by -an AA that has been expired.

-

Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave try -to ping the client alice behind the gateway moon, but dave fails -to do so.

+To authorize clients, moon uses locally cached attribute certificates. +While for carol a valid attribute certificate for the group sales +is available, dave's attribute certificates are either expired or +do not grant permissions for the sales group. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test both tunnel and firewall, both carol +and dave try to ping the client alice behind the gateway moon, +but dave fails to do so. diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat old mode 100644 new mode 100755 index cf0e7be72c..ac30652afa --- a/testing/tests/ikev2/acert-inline/evaltest.dat +++ b/testing/tests/ikev2/acert-inline/evaltest.dat @@ -1,7 +1,7 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*home.*state=INSTALLED.*::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*state=INSTALLED::NO moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f1c4ba6e87 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 65c9819bb2..0000000000 --- a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7fcdea8349 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e3abea51fa..0000000000 --- a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - rightgroups="finance, sales" - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 6276b14eeb..258d5559f4 --- a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..cba80fcfe3 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + groups = finance,sales + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat old mode 100644 new mode 100755 index bd2272b211..9dcba153b6 --- a/testing/tests/ikev2/acert-inline/posttest.dat +++ b/testing/tests/ikev2/acert-inline/posttest.dat @@ -1,13 +1,9 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::cd /etc/swanctl; rm rsa/* x509aa/* +carol::rm /etc/swanctl/x509ac/* +dave::rm /etc/swanctl/x509ac/* moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -carol::rm /etc/ipsec.d/acerts/carol-sales.pem -dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem -dave::rm /etc/ipsec.d/acerts/dave-marketing.pem -moon::rm /etc/ipsec.d/private/aaKey-expired.pem -moon::rm /etc/ipsec.d/private/aaKey.pem -moon::rm /etc/ipsec.d/aacerts/aaCert-expired.pem -moon::rm /etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev2/acert-inline/pretest.dat +++ b/testing/tests/ikev2/acert-inline/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/acert-inline/test.conf b/testing/tests/ikev2/acert-inline/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/acert-inline/test.conf +++ b/testing/tests/ikev2/acert-inline/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/after-2038-certs/description.txt b/testing/tests/ikev2/after-2038-certs/description.txt index fb622dc150..1d6b911b93 100644 --- a/testing/tests/ikev2/after-2038-certs/description.txt +++ b/testing/tests/ikev2/after-2038-certs/description.txt @@ -1,13 +1,13 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on X.509 certificates that are valid until -the year 2039 and are issued by a certification authority with a root ca +the year 2039 and are issued by a certification authority with a root ca certificate valid until the year 2059. On 32-bit platforms, dates after Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type. Thus if a time wrap-around occurs during ASN.1 to time_t conversions, dates contained in the certificates are set to the maximum value, i.e. to Jan 19 03:14:07 UTC 2038. - -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat index 8c2c078bda..69c51d023b 100644 --- a/testing/tests/ikev2/after-2038-certs/evaltest.dat +++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat @@ -1,8 +1,5 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf index af5fa19ef1..8f8fbdfa76 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..454213d5cd --- /dev/null +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm16-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 1ee7513602..0000000000 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf index 93f4345989..8f8fbdfa76 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..491e655721 --- /dev/null +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/10 + esp_proposals = aes128gcm16-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat index 046d4cfdc4..adbfd8f247 100644 --- a/testing/tests/ikev2/after-2038-certs/posttest.dat +++ b/testing/tests/ikev2/after-2038-certs/posttest.dat @@ -1,4 +1,3 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat index e34f702774..1cf07245b0 100644 --- a/testing/tests/ikev2/after-2038-certs/pretest.dat +++ b/testing/tests/ikev2/after-2038-certs/pretest.dat @@ -1,7 +1,5 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf index 4a5fc470f0..7229b10c23 100644 --- a/testing/tests/ikev2/after-2038-certs/test.conf +++ b/testing/tests/ikev2/after-2038-certs/test.conf @@ -5,7 +5,7 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/alg-3des-md5/description.txt b/testing/tests/ikev2/alg-3des-md5/description.txt deleted file mode 100644 index 4c39d0b049..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -3DES_CBC / HMAC_MD5_96 by defining esp=3des-md5-modp1024! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat deleted file mode 100644 index 00465c27d2..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES -moon:: ip xfrm state::enc cbc(des3_ede)::YES -carol::ip xfrm state::enc cbc(des3_ede)::YES -moon:: ip xfrm state::auth-trunc hmac(md5)::YES -carol::ip xfrm state::auth-trunc hmac(md5)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1be5f1d8f2..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-md5-modp1024! - esp=3des-md5-modp1024! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 2c4f3fc214..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e961f081dc..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-md5-modp1024! - esp=3des-md5-modp1024! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 66ff24601f..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-3des-md5/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt deleted file mode 100644 index 569504aa06..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the cipher suite -AES_CCM_12_128 both for IKE and ESP by defining ike=aes128ccm12-aesxcbc-curve25519 -(or alternatively aes128ccm96) and esp=aes128ccm12-curve25519 in ipsec.conf, respectively. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat deleted file mode 100644 index 447445bbfd..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES -moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES -carol::ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES -moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES -carol::ip xfrm state::aead rfc4309(ccm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c7218e4de6..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128ccm96-aesxcbc-x25519! - esp=aes128ccm96-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index eb329f28af..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fdffa0f25c..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128ccm12-aesxcbc-x25519! - esp=aes128ccm12-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf deleted file mode 100644 index ffe6974db6..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt deleted file mode 100644 index 1ac6b4cd1b..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the cipher suite -AES_CTR_128 both for IKE and ESP by defining ike=aes128ctr-aesxcbc-curve25519 -and esp=aes128ctr-aesxcbc-curve25519 in ipsec.conf, respectively. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat deleted file mode 100644 index 1bbaacf4f5..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES -moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES -carol::ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES -moon:: ip xfrm state::rfc3686(ctr(aes))::YES -carol::ip xfrm state::rfc3686(ctr(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES - diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b5aabdd388..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128ctr-aesxcbc-x25519! - esp=aes128ctr-aesxcbc-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c6ef5d7953..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 650b346eb5..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128ctr-aesxcbc-x25519! - esp=aes128ctr-aesxcbc-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 3ec3f00780..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt deleted file mode 100644 index ccf32fc3a1..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior carol proposes to gateway moon the cipher suite -AES_GCM_16_256 both for IKE and ESP by defining ike=aes256gcm16-aesxcbc-curve25519 -(or alternatively aes256gcm128) and esp=aes256gcm16-curve25519 in ipsec.conf, -respectively. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat deleted file mode 100644 index 487928ca92..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES -moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES -carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES -moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES -carol::ip xfrm state::aead rfc4106(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c6bc925e83..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-aesxcbc-x25519! - esp=aes256gcm128-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7cb4496f29..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 1597aae794..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm16-aesxcbc-x25519! - esp=aes256gcm16-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 35d3c19a20..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt deleted file mode 100644 index d69d3d0b6e..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_128 / AES_XCBC_96 by defining esp=aes128-aesxcbc-curve25519! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat deleted file mode 100644 index 42bf0764a4..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES -moon:: ip xfrm state::auth-trunc xcbc(aes)::YES -carol::ip xfrm state::auth-trunc xcbc(aes)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES - diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 93bafcec14..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-aesxcbc-x25519! - esp=aes128-aesxcbc-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf deleted file mode 100644 index ce996478c9..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 13a1798823..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-aesxcbc-x25519! - esp=aes128-aesxcbc-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 69f188e3d2..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-aes-xcbc/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat deleted file mode 100644 index 106087b12c..0000000000 --- a/testing/tests/ikev2/alg-blowfish/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES -dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES -carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES - diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 7456a9d8a8..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 99d3c61d93..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown - syslog { - daemon { - cfg = 2 - } - } -} diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf deleted file mode 100644 index df3242d611..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha1! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf deleted file mode 100644 index a3c9999f77..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3c0578d4b6..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha256,blowfish128-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 99a0e89402..0000000000 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown - syslog { - daemon { - cfg = 2 - } - } -} diff --git a/testing/tests/ikev2/alg-chacha20poly1305/description.txt b/testing/tests/ikev2/alg-chacha20poly1305/description.txt deleted file mode 100644 index a808c4b67e..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior carol proposes to gateway moon the cipher suite -CHACHA20_POLY1305 both for IKE and ESP by defining -ike=chacha20poly1305-prfsha256-ntru256 and -esp=chacha20poly1305-ntru256 in ipsec.conf, respectively. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat deleted file mode 100644 index ac29c66ff0..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES -moon:: ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES -carol::ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES -moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES -carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf deleted file mode 100644 index eebbaa1745..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=chacha20poly1305-prfsha256-ntru256! - esp=chacha20poly1305-ntru256! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 9128a620d1..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce chapoly aes sha1 sha2 md5 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown - - send_vendor_id = yes -} diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b0b57631f5..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=chacha20poly1305-prfsha256-ntru256! - esp=chacha20poly1305-ntru256! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf deleted file mode 100644 index ab04e146ad..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce chapoly aes sha1 sha2 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown - - send_vendor_id = yes -} diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-chacha20poly1305/test.conf b/testing/tests/ikev2/alg-chacha20poly1305/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-chacha20poly1305/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 84c9c8c7c3..0000000000 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3f13273876..0000000000 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 5402f24f36..0000000000 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 84b3d6880b..0000000000 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf deleted file mode 100644 index be00a11eb2..0000000000 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-sha256-96/description.txt b/testing/tests/ikev2/alg-sha256-96/description.txt deleted file mode 100644 index 9e5321eb62..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_128 / HMAC_SHA2_256_96 which uses 96 bit instead of the -standard 128 bit truncation, allowing compatibility with Linux kernels older than 2.6.33 -by defining esp=aes128-sha256_96-curve25519! in ipsec.conf. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat deleted file mode 100644 index 42e7b9335e..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES -carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES -moon:: ip xfrm state::auth-trunc hmac(sha256)::YES -carol::ip xfrm state::auth-trunc hmac(sha256)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6a1a1ad144..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=aes128-sha256_96-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 41919c8766..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=aes128-sha256_96-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-sha256-96/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha256/description.txt b/testing/tests/ikev2/alg-sha256/description.txt deleted file mode 100644 index f7e53913c1..0000000000 --- a/testing/tests/ikev2/alg-sha256/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_128 / HMAC_SHA2_256_128 by defining esp=aes128-sha256-curve25519! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat deleted file mode 100644 index f47852b34d..0000000000 --- a/testing/tests/ikev2/alg-sha256/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES -moon:: ip xfrm state::auth-trunc hmac(sha256)::YES -carol::ip xfrm state::auth-trunc hmac(sha256)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b3548db921..0000000000 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=aes128-sha256-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf deleted file mode 100644 index da8bff0390..0000000000 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=aes128-sha256-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-sha256/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-sha256/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha384/description.txt b/testing/tests/ikev2/alg-sha384/description.txt deleted file mode 100644 index f96ea5c4f2..0000000000 --- a/testing/tests/ikev2/alg-sha384/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_192 / HMAC_SHA2_384_192 by defining esp=aes192-sha384-curve25519! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat deleted file mode 100644 index 56d862e1e5..0000000000 --- a/testing/tests/ikev2/alg-sha384/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES -moon:: ip xfrm state::auth-trunc hmac(sha384)::YES -carol::ip xfrm state::auth-trunc hmac(sha384)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e9122d4b1f..0000000000 --- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-x25519! - esp=aes192-sha384-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e4b52732c6..0000000000 --- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-x25519! - esp=aes192-sha384-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-sha384/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-sha384/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha512/description.txt b/testing/tests/ikev2/alg-sha512/description.txt deleted file mode 100644 index bf79a3bff7..0000000000 --- a/testing/tests/ikev2/alg-sha512/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC_256 / HMAC_SHA2_512_256 by defining esp=aes256-sha512-modp4096! -in ipsec.conf. The same cipher suite is used for IKE. -A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat deleted file mode 100644 index 0b2a71adac..0000000000 --- a/testing/tests/ikev2/alg-sha512/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES -moon:: ip xfrm state::auth-trunc hmac(sha512)::YES -carol::ip xfrm state::auth-trunc hmac(sha512)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 13ab244bb5..0000000000 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3f13273876..0000000000 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e6d4104423..0000000000 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf deleted file mode 100644 index be00a11eb2..0000000000 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/alg-sha512/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/alg-sha512/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat index 843326ecc6..7ac691a29f 100644 --- a/testing/tests/ikev2/compress/evaltest.dat +++ b/testing/tests/ikev2/compress/evaltest.dat @@ -1,7 +1,5 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES moon:: ip xfrm state::proto comp spi::YES diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 78809898b5..0000000000 --- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf index af5fa19ef1..d42a9804c8 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fbd4e385ee --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 718b3c8140..0000000000 --- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf index 93f4345989..d42a9804c8 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..3614716ed5 --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat index 046d4cfdc4..ec5d4c48ad 100644 --- a/testing/tests/ikev2/compress/posttest.dat +++ b/testing/tests/ikev2/compress/posttest.dat @@ -1,4 +1,2 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat index 5536d2803a..87be755a3c 100644 --- a/testing/tests/ikev2/compress/pretest.dat +++ b/testing/tests/ikev2/compress/pretest.dat @@ -1,7 +1,5 @@ -carol::iptables-restore < /etc/iptables.rules -moon::iptables-restore < /etc/iptables.rules -carol::ipsec start -moon::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf index d7b71426cf..307c7e9cc7 100644 --- a/testing/tests/ikev2/compress/test.conf +++ b/testing/tests/ikev2/compress/test.conf @@ -20,3 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/config-payload/description.txt b/testing/tests/ikev2/config-payload/description.txt old mode 100644 new mode 100755 index 7690e7dcec..57134caab9 --- a/testing/tests/ikev2/config-payload/description.txt +++ b/testing/tests/ikev2/config-payload/description.txt @@ -1,7 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the -tunnels, carol and dave then ping the client alice behind the gateway -moon. The source IP addresses of the two pings will be the virtual IPs carol1 -and dave1, respectively. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload by using the vips = 0.0.0.0 parameter. +moon explicitly assigns a specific virtual IP to each of the two clients. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to +test the tunnels, carol and dave then ping the client alice behind +the gateway moon. The source IP addresses of the two pings will be the virtual +IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat old mode 100644 new mode 100755 index 9471f88464..1cc8d82402 --- a/testing/tests/ikev2/config-payload/evaltest.dat +++ b/testing/tests/ikev2/config-payload/evaltest.dat @@ -1,26 +1,16 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*by strongSwan::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*by strongSwan::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..ad4c18e437 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/config-payload/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..ad4c18e437 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/config-payload/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index b8817fe134..ad4c18e437 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5b4f02142b --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol_vip + + remote { + auth = pubkey + id = carol@strongswan.org + } + } + + rw-dave { + include swanctl_base.conf + pools = dave_vip + + remote { + auth = pubkey + id = dave@strongswan.org + } + } + +} + +pools { + + carol_vip { + addrs = 10.3.0.1 + } + + dave_vip { + addrs = 10.3.0.2 + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf rename to testing/tests/ikev2/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev2/config-payload/posttest.dat +++ b/testing/tests/ikev2/config-payload/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat old mode 100644 new mode 100755 index bdbe341dd3..28f600c9d5 --- a/testing/tests/ikev2/config-payload/pretest.dat +++ b/testing/tests/ikev2/config-payload/pretest.dat @@ -1,11 +1,12 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cat /etc/swanctl/swanctl_base.conf +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev2/config-payload/test.conf +++ b/testing/tests/ikev2/config-payload/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt index 8c0d37c888..4f472b83b6 100644 --- a/testing/tests/ikev2/critical-extension/description.txt +++ b/testing/tests/ikev2/critical-extension/description.txt @@ -1,5 +1,5 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates which contain a critical but -unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat index 900cc06dbb..a2e3861c50 100644 --- a/testing/tests/ikev2/critical-extension/evaltest.dat +++ b/testing/tests/ikev2/critical-extension/evaltest.dat @@ -1,8 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES sun:: cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES -sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.pem' failed::YES +sun:: cat /var/log/daemon.log::loading '/etc/swanctl/x509/sunCert.pem' failed::YES sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3854859af1..0000000000 --- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf index 448093f9f5..4820644704 100644 --- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -1,10 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown multiple_authentication = no - + x509 { enforce_critical = no } diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..40ac707e42 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 13860bd3e9..0000000000 --- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf index dbcb7a368f..c9495c6968 100644 --- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown multiple_authentication = no -} +} \ No newline at end of file diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2740c14bd9 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-curve25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat index 837738fc6a..4ee2ed6719 100644 --- a/testing/tests/ikev2/critical-extension/posttest.dat +++ b/testing/tests/ikev2/critical-extension/posttest.dat @@ -1,5 +1,2 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush - +moon::systemctl stop strongswan +sun::systemctl stop strongswan diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat index 08ca6b54cd..bcc06dbccb 100644 --- a/testing/tests/ikev2/critical-extension/pretest.dat +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -1,7 +1,5 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf index b286ef6eba..d3016a886c 100644 --- a/testing/tests/ikev2/critical-extension/test.conf +++ b/testing/tests/ikev2/critical-extension/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/crl-ldap/description.txt b/testing/tests/ikev2/crl-ldap/description.txt index 46e7a69619..c8827bd791 100644 --- a/testing/tests/ikev2/crl-ldap/description.txt +++ b/testing/tests/ikev2/crl-ldap/description.txt @@ -1,6 +1,7 @@ -By setting strictcrlpolicy=yes a strict CRL policy is enforced on +By setting revocation = strict a strict CRL policy is enforced on both roadwarrior carol and gateway moon. Thus when carol initiates -the connection and only an expired CRL cache file in /etc/ipsec.d/crls is +the connection and only an expired CRL cache file in /etc/swanctl/x509crl is available, an ldap fetch to get the CRL from the LDAP server winnetou is successfully started and the IKE authentication completes. The new CRL is again -cached locally as a file in /etc/ipsec.d/crls due to the cachecrls=yes option. +cached locally as a file in /etc/swanctl/x509crl due to the cache_crls = yes +option in /etc/strongswan.conf. diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat index b0774c64dd..9f15796aac 100644 --- a/testing/tests/ikev2/crl-ldap/evaltest.dat +++ b/testing/tests/ikev2/crl-ldap/evaltest.dat @@ -1,11 +1,11 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::loaded crl from::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sa --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl/stale.crl::YES moon:: cat /var/log/daemon.log::crl is stale::YES moon:: cat /var/log/daemon.log::fetching crl from.*ldap::YES moon:: cat /var/log/daemon.log::crl is valid::YES moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::loaded crl from::YES +carol::cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl/stale.crl::YES carol::cat /var/log/daemon.log::crl is stale::YES carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES carol::cat /var/log/daemon.log::crl is valid::YES diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1c9a7c4f0a..0000000000 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - cachecrls=yes - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=2 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf index a9c6e8d4e6..6e553f2023 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici + + cache_crls = yes } diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..af0c5687b4 --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList' + } +} + +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 57fb7dd1bc..0000000000 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - cachecrls=yes - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=2 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules deleted file mode 100644 index debcc21811..0000000000 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,28 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow ldap crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf index a9c6e8d4e6..6e553f2023 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici + + cache_crls = yes } diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..04c261188e --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList' + } +} + +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat index 8474bd3aac..f97a66b33e 100644 --- a/testing/tests/ikev2/crl-ldap/posttest.dat +++ b/testing/tests/ikev2/crl-ldap/posttest.dat @@ -1,7 +1,4 @@ -moon::ipsec stop -carol::ipsec stop -winnetou::/etc/init.d/slapd stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509crl/* +carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat index 6cb50d7e0f..663484ff0e 100644 --- a/testing/tests/ikev2/crl-ldap/pretest.dat +++ b/testing/tests/ikev2/crl-ldap/pretest.dat @@ -1,8 +1,6 @@ winnetou::/etc/init.d/slapd start -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/crl-ldap/test.conf +++ b/testing/tests/ikev2/crl-ldap/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/crl-revoked/description.txt b/testing/tests/ikev2/crl-revoked/description.txt index b39c59c974..0559bd1656 100644 --- a/testing/tests/ikev2/crl-revoked/description.txt +++ b/testing/tests/ikev2/crl-revoked/description.txt @@ -1,4 +1,4 @@ -By setting strictcrlpolicy=yes a strict CRL policy is enforced on +By setting revocation = strict a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The remote host carol initiates the connection and presents a certificate that has been revoked by the -current CRL causing the IKE negotiation to fail. +current CRL causing the IKE negotiation to fail. diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 4f3e10ba17..6c30744e85 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,4 +1,4 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO moon:: cat /var/log/daemon.log::certificate was revoked::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100644 index fa67815e39..0000000000 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..b05ed2b339 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..3388bdc971 --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 918d974130..0000000000 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf index 7a64dce303..b05ed2b339 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b86e0cf7dd --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,22 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-revoked/posttest.dat b/testing/tests/ikev2/crl-revoked/posttest.dat index c6d6235f9d..79ad33de60 100644 --- a/testing/tests/ikev2/crl-revoked/posttest.dat +++ b/testing/tests/ikev2/crl-revoked/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat index d7f7959f1f..1cf07245b0 100644 --- a/testing/tests/ikev2/crl-revoked/pretest.dat +++ b/testing/tests/ikev2/crl-revoked/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/crl-revoked/test.conf +++ b/testing/tests/ikev2/crl-revoked/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/crl-to-cache/description.txt b/testing/tests/ikev2/crl-to-cache/description.txt index 9f542e73d5..0e6f1cbd69 100644 --- a/testing/tests/ikev2/crl-to-cache/description.txt +++ b/testing/tests/ikev2/crl-to-cache/description.txt @@ -1,6 +1,8 @@ -By setting cachecrls=yes in ipsec.conf, a copy of the CRL fetched -via http from the web server winnetou is saved locally in the -directory /etc/ipsec.d/crls on both the roadwarrior carol -and the gateway moon when the IPsec connection is set up. The -subjectKeyIdentifier of the issuing CA plus the suffix .crl -is used as a unique filename for the cached CRL. +By setting cache_crls = yes in /etc/strongswan.conf, a copy of +both the base CRL and the latest delta CRL fetched via http from +the web server winnetou is saved locally in the directory +/etc/swanctl/x509crl on both the roadwarrior carol and the +gateway moon when the IPsec connection is set up. +The subjectKeyIdentifier of the issuing CA plus the suffixes +.crl and _delta.crl are used as unique filename for the +cached base CRL and delta CRL, respectively. diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index f7417da6d9..91e34578f8 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,8 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES +carol::cat /var/log/daemon.log::certificate was revoked::YES +carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 17a58545ce..0000000000 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - cachecrls=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..48e34abba3 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici + + cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d2137d9693..0000000000 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf index 82118b4101..48e34abba3 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/crl-to-cache/posttest.dat b/testing/tests/ikev2/crl-to-cache/posttest.dat index be17847c13..f97a66b33e 100644 --- a/testing/tests/ikev2/crl-to-cache/posttest.dat +++ b/testing/tests/ikev2/crl-to-cache/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509crl/* +carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/ikev2/crl-to-cache/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat index d7f7959f1f..1cf07245b0 100644 --- a/testing/tests/ikev2/crl-to-cache/pretest.dat +++ b/testing/tests/ikev2/crl-to-cache/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/crl-to-cache/test.conf +++ b/testing/tests/ikev2/crl-to-cache/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/dhcp-dynamic/description.txt b/testing/tests/ikev2/dhcp-dynamic/description.txt index b29a1de78f..bef5423714 100644 --- a/testing/tests/ikev2/dhcp-dynamic/description.txt +++ b/testing/tests/ikev2/dhcp-dynamic/description.txt @@ -1,5 +1,5 @@ The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config +and request a virtual IP via the IKEv2 configuration payload by using the vips=0.0.0.0 parameter. The dhcp plugin on gateway moon then requests an IP address and DNS server information from DHCP server venus using the DHCP protocol. The IP addresses are assigned dynamically by venus from the pool 10.1.0.50..10.1.0.60 so that carol and dave become full members diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat index 0c4914f14a..aa62bcec46 100644 --- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat @@ -1,15 +1,11 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.51/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..9932df379b --- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..9932df379b --- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c4a0ff8bbf..c00d3dc4be --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat index 60be3f95ce..d258f1e384 100644 --- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan venus::cat /var/lib/dhcp/dhcpd.leases venus::service isc-dhcp-server stop 2> /dev/null venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat index ff3c04b818..d8c1191cd4 100644 --- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat @@ -3,11 +3,11 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf index fd8a59c90c..853093c96b 100644 --- a/testing/tests/ikev2/dhcp-dynamic/test.conf +++ b/testing/tests/ikev2/dhcp-dynamic/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a774f2a761..0000000000 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn rw - right=%any - rightsourceip=%dhcp - auto=add diff --git a/testing/tests/ikev2/double-nat-net/description.txt b/testing/tests/ikev2/double-nat-net/description.txt index ff09155f6e..19fcf274ef 100644 --- a/testing/tests/ikev2/double-nat-net/description.txt +++ b/testing/tests/ikev2/double-nat-net/description.txt @@ -1,7 +1,9 @@ The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to the subnet hiding behind the NAT router sun. All IKE and ESP traffic directed to the router sun is forwarded to the VPN gateway bob -using destination NAT. UDP encapsulation is used to traverse the NAT routers. -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test the double NAT-ed IPsec -tunnel alice pings the inner IP address of the router sun. +using destination NAT. UDP encapsulation is used to traverse the NAT routers. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the double NAT-ed IPsec tunnel alice pings the inner IP address +of the router sun. \ No newline at end of file diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat index af29ce7b99..c46b138cb5 100644 --- a/testing/tests/ikev2/double-nat-net/evaltest.dat +++ b/testing/tests/ikev2/double-nat-net/evaltest.dat @@ -1,7 +1,5 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES -bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +bob:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 38629d12aa..0000000000 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=bob@strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..1d3d753634 --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + remote_addrs = sun.strongswan.org + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = bob@strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf deleted file mode 100644 index 1c4a807691..0000000000 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftsubnet=10.2.0.0/16 - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftfirewall=yes - right=%any - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..16e2b518d3 --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + nat-t { + + local { + auth = pubkey + certs = bobCert.pem + id = bob@strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat index ec663e70d9..5eee039227 100644 --- a/testing/tests/ikev2/double-nat-net/posttest.dat +++ b/testing/tests/ikev2/double-nat-net/posttest.dat @@ -1,5 +1,5 @@ -bob::ipsec stop -alice::ipsec stop +bob::systemctl stop strongswan +alice::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat index e58c23480e..09dbe38c6d 100644 --- a/testing/tests/ikev2/double-nat-net/pretest.dat +++ b/testing/tests/ikev2/double-nat-net/pretest.dat @@ -5,8 +5,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB sun::ip route add 10.1.0.0/16 via PH_IP_BOB -alice::ipsec start -bob::ipsec start +bob::systemctl start strongswan +alice::systemctl start strongswan bob::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf index d2e31d257a..33e1825b84 100644 --- a/testing/tests/ikev2/double-nat-net/test.conf +++ b/testing/tests/ikev2/double-nat-net/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice bob" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/double-nat/description.txt b/testing/tests/ikev2/double-nat/description.txt index ce7de0e56c..1f2a6b734a 100644 --- a/testing/tests/ikev2/double-nat/description.txt +++ b/testing/tests/ikev2/double-nat/description.txt @@ -1,5 +1,7 @@ The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to the peer bob hiding behind the NAT router sun. UDP encapsulation is used to -traverse the NAT routers. leftfirewall=yes automatically inserts iptables-based -firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec -tunnel alice pings bob. +traverse the NAT routers. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the double NAT-ed IPsec tunnel alice pings bob. diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat index 903226706e..b272d22960 100644 --- a/testing/tests/ikev2/double-nat/evaltest.dat +++ b/testing/tests/ikev2/double-nat/evaltest.dat @@ -1,7 +1,5 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES -bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=bob@strongswan.org initiator=yes.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.10/32]::YES +bob:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.2.0.10 local-port=4500 local-id=bob@strongswan.org remote-host=192.168.0.1 remote-port=.* remote-id=alice@strongswan.org.*nat-local=yes nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.10/32] remote-ts=\[10.1.0.10/32]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index fe5b5f2992..0000000000 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=bob@strongswan.org - rightsubnet=PH_IP_BOB/32 - auto=add diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5fab3c72a8 --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + remote_addrs = sun.strongswan.org + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = bob@strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.10 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf deleted file mode 100644 index 1004ee9711..0000000000 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftfirewall=yes - right=%any - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e3d00a1c1e --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + nat-t { + + local { + auth = pubkey + certs = bobCert.pem + id = bob@strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat index f434b336c2..7445fb4595 100644 --- a/testing/tests/ikev2/double-nat/posttest.dat +++ b/testing/tests/ikev2/double-nat/posttest.dat @@ -1,5 +1,5 @@ -bob::ipsec stop -alice::ipsec stop +bob::systemctl stop strongswan +alice::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat index 6f74000b53..5376a59ed8 100644 --- a/testing/tests/ikev2/double-nat/pretest.dat +++ b/testing/tests/ikev2/double-nat/pretest.dat @@ -4,8 +4,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to- moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB -alice::ipsec start -bob::ipsec start +bob::systemctl start strongswan +alice::systemctl start strongswan bob::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf index d2e31d257a..33e1825b84 100644 --- a/testing/tests/ikev2/double-nat/test.conf +++ b/testing/tests/ikev2/double-nat/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice bob" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt index 0fb2f10649..19cc5646c0 100644 --- a/testing/tests/ikev2/dpd-clear/description.txt +++ b/testing/tests/ikev2/dpd-clear/description.txt @@ -2,4 +2,3 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway < which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, moon clears the connection after a number of unsuccessful retransmits. - diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat index 2071e8fc84..5870b11172 100644 --- a/testing/tests/ikev2/dpd-clear/evaltest.dat +++ b/testing/tests/ikev2/dpd-clear/evaltest.dat @@ -1,8 +1,8 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: sleep 13::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES moon:: cat /var/log/daemon.log::retransmit.*of request::YES moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf index af5fa19ef1..d42a9804c8 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a46e03788d --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6ca9db7c9c --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + dpd_action = clear + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + dpd_delay = 10 + } +} diff --git a/testing/tests/ikev2/dpd-clear/posttest.dat b/testing/tests/ikev2/dpd-clear/posttest.dat index 931db4272e..617eff3d7b 100644 --- a/testing/tests/ikev2/dpd-clear/posttest.dat +++ b/testing/tests/ikev2/dpd-clear/posttest.dat @@ -1,3 +1,3 @@ carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev2/dpd-clear/pretest.dat +++ b/testing/tests/ikev2/dpd-clear/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/dpd-clear/test.conf +++ b/testing/tests/ikev2/dpd-clear/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 75b377f5f0..0000000000 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=clear - dpddelay=10 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/dpd-hold/posttest.dat b/testing/tests/ikev2/dpd-hold/posttest.dat deleted file mode 100644 index c6d6235f9d..0000000000 --- a/testing/tests/ikev2/dpd-hold/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev2/dpd-restart/description.txt b/testing/tests/ikev2/dpd-restart/description.txt index 410d3d636f..4c3e027d43 100644 --- a/testing/tests/ikev2/dpd-restart/description.txt +++ b/testing/tests/ikev2/dpd-restart/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon. Both end points activate Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol -and moon is forcefully disrupted for a duration of 100 s, moon -clears the connection after 4 unsuccessful retransmits whereas carol -also takes down the connection but immediately tries to reconnect which succeeds -as soon as the connection becomes available again. +and moon is forcefully disrupted, moon clears the connection after +some unsuccessful retransmits whereas carol also takes down the connection +but immediately tries to reconnect which succeeds as soon as the connection +becomes available again. diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat index 25c54df955..1a7d1b110f 100644 --- a/testing/tests/ikev2/dpd-restart/evaltest.dat +++ b/testing/tests/ikev2/dpd-restart/evaltest.dat @@ -1,5 +1,5 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO carol::sleep 13::no output expected::NO @@ -9,5 +9,5 @@ carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::sleep 2::no output expected::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf deleted file mode 100644 index dfc77a43ae..0000000000 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=restart - dpddelay=10 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf index af5fa19ef1..d42a9804c8 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4444f6d01e --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + dpd_action = restart + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + dpd_delay = 10 + } +} diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 75b377f5f0..0000000000 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=clear - dpddelay=10 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf index 7a64dce303..d42a9804c8 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7aebd8fb0c --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + dpd_action = clear + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + dpd_delay = 5 + } +} diff --git a/testing/tests/ikev2/dpd-restart/posttest.dat b/testing/tests/ikev2/dpd-restart/posttest.dat index c6d6235f9d..ec5d4c48ad 100644 --- a/testing/tests/ikev2/dpd-restart/posttest.dat +++ b/testing/tests/ikev2/dpd-restart/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev2/dpd-restart/pretest.dat +++ b/testing/tests/ikev2/dpd-restart/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/dpd-restart/test.conf +++ b/testing/tests/ikev2/dpd-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt old mode 100644 new mode 100755 index 3e441b2fec..58517d655a --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ -The peers carol and moon both have dynamic IP addresses, so that the remote end -is defined symbolically by right=<hostname>. The IKE daemon resolves the -fully-qualified hostname into the current IP address via a DNS lookup (simulated by an -/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -% prefix in the right option will allow an IKE_SA rekeying to arrive from an arbitrary -IP address under the condition that the peer identity remains unchanged. When this happens +The peers carol and moon both have dynamic IP addresses, so that the +remote_addrs field contains a Fully Qualified Domain Name (FQDN) which +is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry). +This will allow an IKE_SA rekeying to arrive from an arbitrary IP address +under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.

-In this scenario carol first initiates a tunnel to moon. After some time carol -suddenly changes her IP address and restarts the connection to moon without deleting the -old tunnel first (simulated by iptables blocking IKE packets to and from -carol and starting the connection from host dave using carol's identity). +In this scenario carol first initiates a tunnel to moon. After some +time carol suddenly changes her IP address and restarts the connection to +moon without deleting the old tunnel first (simulated by iptables blocking +IKE packets to and from carol and starting the connection from host dave +using carol's identity). diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat old mode 100644 new mode 100755 index 43ccdda743..6836543fea --- a/testing/tests/ikev2/dynamic-initiator/evaltest.dat +++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat @@ -1,9 +1,7 @@ -carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::moon.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*moon.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES -moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES +moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for peer.*carol@strongswan.org.*, received INITIAL_CONTACT::YES moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6fca045f65..0000000000 --- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..08b4b1a0f8 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 6fca045f65..0000000000 --- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 6a2aea8118..0000000000 --- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..08b4b1a0f8 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + moon { + remote_addrs = moon.strongswan.org + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + moon { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2e5f01a062..0000000000 --- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn carol - left=%any - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%carol.strongswan.org - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..db4fd85514 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + carol { + remote_addrs = carol.strongswan.org + pools = carol_vip + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + carol { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + unique = replace + } +} + +pools { + carol_vip { + addrs = 10.3.0.1 + } +} diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat old mode 100644 new mode 100755 index 715bb94822..784b2583a3 --- a/testing/tests/ikev2/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat @@ -1,8 +1,5 @@ -dave::ipsec stop -carol::ipsec stop -moon::ipsec stop -moon::iptables-restore < /etc/iptables.flush +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush -dave::rm /etc/ipsec.d/certs/* -dave::rm /etc/ipsec.d/private/* +dave::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat old mode 100644 new mode 100755 index 18cbc4505e..704e1f1866 --- a/testing/tests/ikev2/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat @@ -1,13 +1,12 @@ -moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection carol carol::expect-connection moon -carol::ipsec up moon +carol::swanctl --initiate --child moon 2> /dev/null carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +moon::sed -i 's/192.168.0.100/192.168.0.200/g' /etc/hosts dave::expect-connection moon -dave::ipsec up moon +dave::swanctl --initiate --child moon 2> /dev/null diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf old mode 100644 new mode 100755 index 164b07ff97..37c3b73e13 --- a/testing/tests/ikev2/dynamic-initiator/test.conf +++ b/testing/tests/ikev2/dynamic-initiator/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dynamic-two-peers/description.txt b/testing/tests/ikev2/dynamic-two-peers/description.txt deleted file mode 100644 index a1616011e5..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The peers carol, dave, and moon all have dynamic IP addresses, -so that the remote end is defined symbolically by right=%<hostname>. -The ipsec starter resolves the fully-qualified hostname into the current IP address -via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are -expected to change over time, the prefix '%' is used as an implicit alternative to the -explicit rightallowany=yes option which will allow an IKE_SA rekeying to arrive -from an arbitrary IP address under the condition that the peer identity remains unchanged. -When this happens the old tunnel is replaced by an IPsec connection to the new origin. -

-In this scenario both carol and dave initiate a tunnel to -moon which has a named connection definition for each peer. Although -the IP addresses of both carol and dave are stale, thanks to -the '%' prefix moon will accept the IKE negotiations from the actual IP addresses. - diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat deleted file mode 100644 index 66660545e2..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6fca045f65..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn moon - left=%any - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 6493ce0b14..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn moon - left=%any - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale deleted file mode 100644 index ebff4ec250..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale +++ /dev/null @@ -1,67 +0,0 @@ -# /etc/hosts: This file describes a number of hostname-to-address -# mappings for the TCP/IP subsystem. It is mostly -# used at boot time, when no name servers are running. -# On small systems, this file can be used instead of a -# "named" name server. Just add the names, addresses -# and any aliases to this file... -# - -127.0.0.1 localhost - -192.168.0.254 uml0.strongswan.org uml0 -10.1.0.254 uml1.strongswan.org uml1 -10.2.0.254 uml1.strongswan.org uml2 - -10.1.0.10 alice.strongswan.org alice -10.1.0.20 venus.strongswan.org venus -10.1.0.1 moon1.strongswan.org moon1 -192.168.0.1 moon.strongswan.org moon -192.168.0.110 carol.strongswan.org carol -10.3.0.1 carol1.strongswan.org carol1 -192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org -192.168.0.220 dave.strongswan.org dave -10.3.0.2 dave1.strongswan.org dave1 -192.168.0.2 sun.strongswan.org sun -10.2.0.1 sun1.strongswan.org sun1 -10.2.0.10 bob.strongswan.org bob - -# IPv6 versions of localhost and co -::1 ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -ff02::3 ip6-allhosts - -# IPv6 solicited-node multicast addresses -ff02::1:ff00:1 ip6-mcast-1 -ff02::1:ff00:2 ip6-mcast-2 -ff02::1:ff00:10 ip6-mcast-10 -ff02::1:ff00:15 ip6-mcast-15 -ff02::1:ff00:20 ip6-mcast-20 - -# IPv6 site-local addresses -fec1::10 ip6-alice.strongswan.org ip6-alice -fec1::20 ip6-venus.strongswan.org ip6-venus -fec1::1 ip6-moon1.strongswan.org ip6-moon1 -fec0::1 ip6-moon.strongswan.org ip6-moon -fec0::10 ip6-carol.strongswan.org ip6-carol -fec3::1 ip6-carol1.strongswan.org ip6-carol1 -fec0::15 ip6-winnetou.strongswan.org ip6-winnetou -fec0::20 ip6-dave.strongswan.org ip6-dave -fec3::2 ip6-dave1.strongswan.org ip6-dave1 -fec0::2 ip6-sun.strongswan.org ip6-sun -fec2::1 ip6-sun1.strongswan.org ip6-sun1 -fec2::10 ip6-bob.strongswan.org ip6-bob - -# IPv6 link-local HW derived addresses -fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus -fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice -fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 -fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon -fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol -fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou -fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave -fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun -fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 -fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d510e2e0c3..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=%any - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn carol - right=%carol.strongswan.org - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add - -conn dave - right=%dave.strongswan.org - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 - auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat deleted file mode 100644 index 843715379c..0000000000 --- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::mv /etc/hosts /etc/hosts.ori -moon::mv /etc/hosts.stale /etc/hosts -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection carol -carol::expect-connection moon -carol::ipsec up moon -dave::expect-connection moon -dave::ipsec up moon diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt deleted file mode 100644 index 0d5eb10152..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the authentication-only -ESP cipher suite NULL_AES_GMAC_256 by defining esp=aes256gmac-curve25519! -in ipsec.conf. A ping from carol to alice successfully checks -the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat deleted file mode 100644 index 293b5ab37d..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES -carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES -carol::ip xfrm state::aead rfc4543(gcm(aes))::YES -moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ebe0c277a0..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-aesxcbc-x25519! - esp=aes256gmac-x25519! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf deleted file mode 100644 index ce996478c9..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 1fdb1bd278..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-aesxcbc-x25519! - esp=aes256gmac-x25519! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 69f188e3d2..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat deleted file mode 100644 index 4e457f1387..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES -carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES -moon:: ip xfrm state::auth-trunc hmac(md5)::YES -carol::ip xfrm state::auth-trunc hmac(md5)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a85034243b..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-md5-modp1024! - esp=3des-md5_128! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 2c4f3fc214..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 13908da142..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-md5-modp1024! - esp=3des-md5_128! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 2c4f3fc214..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/esp-alg-md5-128/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat deleted file mode 100644 index b80e9f781c..0000000000 --- a/testing/tests/ikev2/esp-alg-null/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES -carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES -moon:: ip xfrm state::enc ecb(cipher_null)::YES -carol::ip xfrm state::enc ecb(cipher_null)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 9991b0b24d..0000000000 --- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=null-sha256! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2a2c4cb9c0..0000000000 --- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-x25519! - esp=null-sha256! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/esp-alg-null/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/esp-alg-null/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/esp-alg-null/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat deleted file mode 100644 index 20a9cf95f1..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES -carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES -moon:: ip xfrm state::auth-trunc hmac(sha1)::YES -carol::ip xfrm state::auth-trunc hmac(sha1)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 043c3d79f6..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha1-modp2048! - esp=aes128-sha1_160! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3f13273876..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 86819631b0..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha1-modp2048! - esp=aes128-sha1_160! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf deleted file mode 100644 index be00a11eb2..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/host2host-ah/description.txt b/testing/tests/ikev2/host2host-ah/description.txt old mode 100644 new mode 100755 index 11d814f8cd..d2298b6cbf --- a/testing/tests/ikev2/host2host-ah/description.txt +++ b/testing/tests/ikev2/host2host-ah/description.txt @@ -1,5 +1,8 @@ An IPsec AH transport-mode connection using AES-XCBC between the hosts -moon and sun is successfully set up. leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the decrypted -IP packets. In order to test the host-to-host connection moon pings -sun. +moon and sun is set up.The authentication is based on +X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/host2host-ah/evaltest.dat b/testing/tests/ikev2/host2host-ah/evaltest.dat old mode 100644 new mode 100755 index 1e50ef458c..d29697a1e4 --- a/testing/tests/ikev2/host2host-ah/evaltest.dat +++ b/testing/tests/ikev2/host2host-ah/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=AES_XCBC_96 prf-alg=PRF_AES128_XCBC dh-group=MODP_3072.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*AH.*integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 535e3d4917..0000000000 --- a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keyexchange=ikev2 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - type=transport - ah=aesxcbc - auto=add diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..cc1872111d --- a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..66816ede07 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = aesxcbc + mode = transport + + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-aesxcbc-modp3072 + } +} diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 9537c187ba..0000000000 --- a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - type=transport - ah=aesxcbc - auto=add diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..cc1872111d --- a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fcfdf1acf7 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = aesxcbc + mode = transport + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-aesxcbc-modp3072 + } +} diff --git a/testing/tests/ikev2/host2host-ah/posttest.dat b/testing/tests/ikev2/host2host-ah/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev2/host2host-ah/posttest.dat +++ b/testing/tests/ikev2/host2host-ah/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat old mode 100644 new mode 100755 index 36a8423217..f16a8d80f4 --- a/testing/tests/ikev2/host2host-ah/pretest.dat +++ b/testing/tests/ikev2/host2host-ah/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ikev2/host2host-ah/test.conf b/testing/tests/ikev2/host2host-ah/test.conf old mode 100644 new mode 100755 index 9647dc6a2a..52d886dcce --- a/testing/tests/ikev2/host2host-ah/test.conf +++ b/testing/tests/ikev2/host2host-ah/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt old mode 100644 new mode 100755 index 876aa79808..8f7e6e9f48 --- a/testing/tests/ikev2/host2host-cert/description.txt +++ b/testing/tests/ikev2/host2host-cert/description.txt @@ -1,6 +1,6 @@ A connection between the hosts moon and sun is successfully set up. The authentication is based on X.509 certificates.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat old mode 100644 new mode 100755 index e0c40ba4dc..0ce4c43011 --- a/testing/tests/ikev2/host2host-cert/evaltest.dat +++ b/testing/tests/ikev2/host2host-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev2/host2host-cert/posttest.dat +++ b/testing/tests/ikev2/host2host-cert/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat old mode 100644 new mode 100755 index 36a8423217..f16a8d80f4 --- a/testing/tests/ikev2/host2host-cert/pretest.dat +++ b/testing/tests/ikev2/host2host-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf old mode 100644 new mode 100755 index 55d6e9fd6a..52d886dcce --- a/testing/tests/ikev2/host2host-cert/test.conf +++ b/testing/tests/ikev2/host2host-cert/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/host2host-transport/description.txt b/testing/tests/ikev2/host2host-transport/description.txt old mode 100644 new mode 100755 index fe3482c96f..bc5a1299bd --- a/testing/tests/ikev2/host2host-transport/description.txt +++ b/testing/tests/ikev2/host2host-transport/description.txt @@ -1,4 +1,6 @@ -An IPsec transport-mode connection between the hosts moon and sun is -successfully set up. leftfirewall=yes automatically inserts iptables-based firewall -rules that let pass the decrypted IP packets. In order to test the host-to-host connection -moon pings sun. +An IPsec transport-mode connection between the hosts moon and sun +is successfully set up. The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec connection, the updown script automatically +inserts iptables-based firewall rules that let pass the protected traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat old mode 100644 new mode 100755 index 98251d12a3..b60b8adc4b --- a/testing/tests/ikev2/host2host-transport/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..683269aadb --- a/testing/tests/ikev2/host2host-transport/posttest.dat +++ b/testing/tests/ikev2/host2host-transport/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat old mode 100644 new mode 100755 index 36a8423217..f16a8d80f4 --- a/testing/tests/ikev2/host2host-transport/pretest.dat +++ b/testing/tests/ikev2/host2host-transport/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection host-host +moon::systemctl start strongswan +sun::systemctl start strongswan moon::expect-connection host-host -moon::ipsec up host-host +sun::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf old mode 100644 new mode 100755 index 5a286c84fe..52d886dcce --- a/testing/tests/ikev2/host2host-transport/test.conf +++ b/testing/tests/ikev2/host2host-transport/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s.png" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf deleted file mode 100644 index 11423f7230..0000000000 --- a/testing/tests/ikev2/inactivity-timeout/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt old mode 100644 new mode 100755 index 7bc4ef3ab6..f003db1314 --- a/testing/tests/ikev2/ip-pool-db/description.txt +++ b/testing/tests/ikev2/ip-pool-db/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual IP -addresses from a pool named bigpool that was created in an SQL database by the command +Both carol and dave request a virtual IP via the IKEv2 configuration +payload by using the vips = 0.0.0.0 parameter. +moon assigns virtual IP addresses from a pool named bigpool that was created in +an SQL database by the command ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client alice behind the gateway moon. The source IP addresses of the two pings will be the -virtual IPs carol1 and dave1, respectively. +virtual IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat old mode 100644 new mode 100755 index 925e9a12f8..5133e426f8 --- a/testing/tests/ikev2/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat @@ -1,38 +1,23 @@ -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES -moon:: cat /var/log/daemon.log::assigning virtual IP::YES -moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 0fbefa3fc2..886b31f9b8 --- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..886b31f9b8 --- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c22405914f..31cf56d246 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici plugins { attr-sql { @@ -12,4 +16,5 @@ charon { pool { load = sqlite + database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bef86d78af --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = big_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat old mode 100644 new mode 100755 index 37436a3d9f..b18231a2e4 --- a/testing/tests/ikev2/ip-pool-db/posttest.dat +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -1,9 +1,11 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::ipsec pool --del bigpool 2> /dev/null +moon::ipsec pool --del big_pool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat old mode 100644 new mode 100755 index c422045925..448aa260df --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -1,17 +1,17 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db -moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null +moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf old mode 100644 new mode 100755 index 31820ea1a6..5554b46696 --- a/testing/tests/ikev2/ip-pool-db/test.conf +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-pool/description.txt b/testing/tests/ikev2/ip-pool/description.txt old mode 100644 new mode 100755 index fc3f8c63a0..7c866ba0d3 --- a/testing/tests/ikev2/ip-pool/description.txt +++ b/testing/tests/ikev2/ip-pool/description.txt @@ -1,10 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously -increasing order. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +Both carol and dave request a virtual IP via the IKEv2 configuration +payload by using the vips = 0.0.0.0 parameter. +moon assigns virtual IP addresses from a simple pool defined in the pools section +of swanctl.conf in a monotonously increasing order. +

+The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. +pings will be the virtual IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat old mode 100644 new mode 100755 index 7de59030c7..36ab6c119f --- a/testing/tests/ikev2/ip-pool/evaltest.dat +++ b/testing/tests/ikev2/ip-pool/evaltest.dat @@ -1,30 +1,17 @@ -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ip addr list dev eth0::PH_IP_DAVE1::YES -dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES -moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon:: cat /var/log/daemon.log::assigning virtual IP::YES -moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES -moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES -moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..ad4c18e437 --- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-pool/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-pool/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-pool/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat old mode 100644 new mode 100755 index b757d8b152..eb21008563 --- a/testing/tests/ikev2/ip-pool/posttest.dat +++ b/testing/tests/ikev2/ip-pool/posttest.dat @@ -1,6 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev2/ip-pool/pretest.dat +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev2/ip-pool/test.conf +++ b/testing/tests/ikev2/ip-pool/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools-db/description.txt b/testing/tests/ikev2/ip-two-pools-db/description.txt old mode 100644 new mode 100755 index 188b4349e2..4bad7b1b72 --- a/testing/tests/ikev2/ip-two-pools-db/description.txt +++ b/testing/tests/ikev2/ip-two-pools-db/description.txt @@ -1,14 +1,14 @@ The hosts alice, venus, carol, and dave set up tunnel connections -to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP -with the leftsourceip=%config parameter. Gateway moon assigns virtual -IP addresses from a pool named extpool [10.3.0.1..10.3.1.244] to hosts connecting -to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a pool named intpool -[10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. +to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP +from gateway moon which assigns virtual IP addresses from a pool named extpool +[10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual +IP addresses from a pool named intpool [10.4.0.1..10.4.1.244] to hosts connecting to +the eth1 (PH_IP_MOON1) interface. Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, respectively. -

-By defining the composite IPsec SA: rightsubnet=10.3.0.0/16,10.4.0.0/16, each of the four +

+By defining the composite traffic selector 10.3.0.0/16,10.4.0.0/16, each of the four spokes can securely reach any other spoke via the central hub moon. This is demonstrated by alice and dave pinging the assigned virtual IP addresses of carol and venus. diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat old mode 100644 new mode 100755 index cf7ce20f98..16dc236690 --- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat @@ -1,19 +1,3 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES -venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES -moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES -moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES -moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES -moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES @@ -32,6 +16,14 @@ alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..f021e9c96d --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve } diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index f0b74a7431..f021e9c96d --- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve } diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..f021e9c96d --- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve } diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 1664d55aa3..fba531a52e --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici plugins { attr-sql { @@ -12,4 +16,5 @@ charon { pool { load = sqlite -} + database = sqlite:///etc/db.d/ipsec.db +} \ No newline at end of file diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf old mode 100644 new mode 100755 index 729db45267..f021e9c96d --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve } diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat old mode 100644 new mode 100755 index dd4abebadf..526a1321b0 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -1,13 +1,13 @@ -alice::ipsec stop -venus::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -alice::iptables-restore < /etc/iptables.flush -venus::iptables-restore < /etc/iptables.flush +carol::systemctl stop strongswan +dave::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush moon::ip route del 10.3.0.0/16 via PH_IP_MOON moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 moon::ipsec pool --del extpool 2> /dev/null @@ -15,3 +15,4 @@ moon::ipsec pool --del intpool 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null + diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat old mode 100644 new mode 100755 index 927de7d812..bddc456c01 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -8,23 +8,23 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu moon::ipsec pool --statusattr 2> /dev/null moon::ip route add 10.3.0.0/16 via PH_IP_MOON moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 -alice::iptables-restore < /etc/iptables.rules -venus::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -alice::ipsec start -venus::ipsec start -carol::ipsec start -dave::ipsec start +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan moon::expect-connection int moon::expect-connection ext carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null alice::expect-connection home -alice::ipsec up home +alice::swanctl --initiate --child home 2> /dev/null venus::expect-connection home -venus::ipsec up home +venus::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf old mode 100644 new mode 100755 index 167c75d9dc..9394e0289a --- a/testing/tests/ikev2/ip-two-pools-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-db/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="alice venus moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools/description.txt b/testing/tests/ikev2/ip-two-pools/description.txt old mode 100644 new mode 100755 index 45b84f135d..df9f54a66a --- a/testing/tests/ikev2/ip-two-pools/description.txt +++ b/testing/tests/ikev2/ip-two-pools/description.txt @@ -1,9 +1,9 @@ The hosts alice and carol set up a tunnel connection each to gateway moon. -Both hosts request a virtual IP via the IKEv2 configuration payload by using the -leftsourceip=%config parameter. Gateway moon assigns virtual IP -addresses from a simple pool defined by rightsourceip=10.3.0.0/28 to hosts connecting -to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined -by rightsourceip=10.4.0.0/28 to hosts connecting to the eth1 (PH_IP_MOON1) interface. +Both hosts request a virtual IP via the IKEv2 configuration payload. +Gateway moon assigns virtual IP addresses from pool1 with an address range of +10.3.0.0/28 to hosts connecting to the eth0 (192.168.0.1) interface and +virtual IP addresses from pool2 with an address range of 10.4.0.0/28 to hosts +connecting to the eth1 (10.1.0.1) interface.

-Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and both ping the gateway moon. diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat old mode 100644 new mode 100755 index b620538d5f..cb3b60f4de --- a/testing/tests/ikev2/ip-two-pools/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat @@ -1,21 +1,17 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES -alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES -moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES -moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES -moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES -moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES -moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES -moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES -moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 952df5e67a..ad4c18e437 --- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat old mode 100644 new mode 100755 index e4b0436960..f0a8f0f64c --- a/testing/tests/ikev2/ip-two-pools/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools/posttest.dat @@ -1,6 +1,8 @@ -alice::ipsec stop -carol::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +alice::swanctl --terminate --ike home +carol::systemctl stop strongswan +alice::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat old mode 100644 new mode 100755 index 8fb8dfb24a..fb6cb52797 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -1,12 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -alice::ipsec start -moon::expect-connection int -moon::expect-connection ext +moon::systemctl start strongswan +carol::systemctl start strongswan +alice::systemctl start strongswan +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null alice::expect-connection home -alice::ipsec up home +alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf old mode 100644 new mode 100755 index 1ed3473ab0..5f67b7ed5b --- a/testing/tests/ikev2/ip-two-pools/test.conf +++ b/testing/tests/ikev2/ip-two-pools/test.conf @@ -5,7 +5,7 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="alice carol" +TCPDUMPHOSTS="carol alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="alice moon carol" +IPSECHOSTS="moon carol alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index db17d1e772..a520e5c2cb 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -4,18 +4,17 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with R carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES -moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index 2968646e54..51b64a74b3 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -2,8 +2,8 @@ authorize { preprocess chap mschap - suffix files + suffix update reply { EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" @@ -19,6 +19,7 @@ authorize { ok = return } unix + files expiration logintime pap diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf deleted file mode 100644 index df44407687..0000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftauth=pubkey - leftid=carol@strongswan.org - leftcert=carolCert.pem - leftauth2=eap - leftid2=228060123456001@strongswan.org - eap_identity=228060123456001 - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightauth=pubkey - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 6a2aea8118..0000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 5615f44910..54b79b35d0 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 01fb6b0a31..0000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftfirewall=yes - leftauth=pubkey - leftid=dave@strongswan.org - leftcert=daveCert.pem - leftauth2=eap - leftid2=228060123456002@strongswan.org - eap_identity=228060123456002 - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightauth=pubkey - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 9031f323a0..0000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 51614f7163..54b79b35d0 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8dc0daeb53..0000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-mult - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftfirewall=yes - leftauth=pubkey - leftid=@moon.strongswan.org - leftcert=moonCert.pem - right=%any - rightauth=pubkey - rightid=*@strongswan.org - rightauth2=eap-radius - eap_identity=%any - auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index aab6993ceb..b18ba68092 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat index 4069be9cec..b517a1adf3 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index f3fdfe6fff..125ee22f9d 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,11 +1,11 @@ carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-mult +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf index 42d23a50bb..6781150128 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf @@ -23,3 +23,8 @@ IPSECHOSTS="moon carol dave" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 + diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat deleted file mode 100644 index 03426ac445..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 7f045801ee..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - rightsubnet=PH_IP_ALICE/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9306bf9ec4..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn venus - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 776b5a5b3e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=PH_IP_CAROL - rightid=carol@strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=PH_IP_DAVE - rightid=dave@strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat deleted file mode 100644 index 24cd041ed2..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat deleted file mode 100644 index dc6991db5d..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::expect-connection alice -dave::expect-connection venus -moon::expect-connection alice -moon::expect-connection venus -moon::ipsec up alice -moon::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt deleted file mode 100644 index 06f9f6b917..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The VPN gateway moon grants access to the hosts alice and -venus to anyone presenting a certificate belonging to a trust chain anchored -in the strongSwan Root CA. The hosts carol and dave have certificates from -the intermediate Research CA and Sales CA, respectively. Responder moon does not possess -copies of the Research and Sales CA certificates and must therefore request them from -the initiators carol and dave, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat deleted file mode 100644 index dcd271772e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 5ee8ba0769..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 391bc91a68..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 565d0d829b..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat deleted file mode 100644 index 24cd041ed2..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat deleted file mode 100644 index 95ca1e5a3d..0000000000 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -moon::expect-connection venus -carol::expect-connection alice -carol::ipsec up alice -dave::expect-connection venus -dave::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat deleted file mode 100644 index 49271bd8c6..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO -moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon:: cat /var/log/daemon.log::selected peer config.*alice.*unacceptable::YES -moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::alice.*moon.strongswan.org.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 9b28c50f5b..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf deleted file mode 100644 index fa36317e7a..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 082c2f2b5d..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf deleted file mode 100644 index fa36317e7a..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf deleted file mode 100644 index deae852d49..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,42 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -ca research - cacert=researchCert.pem - crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -ca sales - cacert=salesCert.pem - crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules deleted file mode 100644 index debcc21811..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,28 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow ldap crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 2881b73c5f..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat deleted file mode 100644 index 6f0ec4b970..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* -winnetou::/etc/init.d/slapd stop -moon::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat deleted file mode 100644 index 815d7be1b7..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -winnetou::/etc/init.d/slapd start -moon::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -moon::expect-connection venus -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat deleted file mode 100644 index 85bbe4ab9e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES -carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 991daafe1e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7721b23470..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-loop/posttest.dat b/testing/tests/ikev2/multi-level-ca-loop/posttest.dat deleted file mode 100644 index 076f51f4d7..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat deleted file mode 100644 index b71c416fb6..0000000000 --- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -carol::ipsec start -moon::ipsec start -moon::expect-connection alice -carol::expect-connection alice -carol::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat deleted file mode 100644 index 913e8f454e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES -carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::duck.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e8398629c5..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add - diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3038f522df..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp constraints x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4d1286f4f1..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn duck - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 0b6834b164..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation constraints hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat deleted file mode 100644 index f84b7e37ba..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat deleted file mode 100644 index a063a247aa..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec start -moon::ipsec start -moon::expect-connection duck -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf deleted file mode 100644 index 5879643903..0000000000 --- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat deleted file mode 100644 index 008ff2cf86..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon:: cat /var/log/daemon.log::certificate was revoked::YES -carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e6bd872b02..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e2c8df2d6c..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat deleted file mode 100644 index f84b7e37ba..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat deleted file mode 100644 index 1d847c0136..0000000000 --- a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -carol::ipsec start -moon::expect-connection alice -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat b/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat deleted file mode 100644 index 5d445c27f8..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES -carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e6bd872b02..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e2c8df2d6c..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat b/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat deleted file mode 100644 index f84b7e37ba..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat b/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat deleted file mode 100644 index 1d847c0136..0000000000 --- a/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -carol::ipsec start -moon::expect-connection alice -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt deleted file mode 100644 index 6467d5222d..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced -on all peers. -The VPN gateway moon grants access to the hosts alice and -venus to anyone presenting a certificate belonging to a trust -chain anchored in the strongSwan Root CA. Therefore both road warriors -carol and dave, holding certificates from the Research CA -and Sales CA, respectively, can reach both alice and venus. diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat deleted file mode 100644 index 90ee6a7a4b..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 611f25995e..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf deleted file mode 100644 index abe0f3ad9a..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c58de462b3..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca-strict/posttest.dat b/testing/tests/ikev2/multi-level-ca-strict/posttest.dat deleted file mode 100644 index 1646d5ed2f..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat deleted file mode 100644 index 91ade79081..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -moon::expect-connection venus -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/multi-level-ca-strict/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat deleted file mode 100644 index 10da97f988..0000000000 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES -carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO -moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon:: cat /var/log/daemon.log::selected peer config.*alice.*unacceptable::YES -moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES -dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES -dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 909118fb1f..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 95777460ee..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - leftsendcert=ifasked - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a607a0dc86..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat deleted file mode 100644 index 0f3f1ff895..0000000000 --- a/testing/tests/ikev2/multi-level-ca/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat deleted file mode 100644 index 91ade79081..0000000000 --- a/testing/tests/ikev2/multi-level-ca/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -moon::expect-connection venus -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/multi-level-ca/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt index 9bef3cd186..7754c7f395 100644 --- a/testing/tests/ikev2/nat-rw-psk/description.txt +++ b/testing/tests/ikev2/nat-rw-psk/description.txt @@ -2,6 +2,7 @@ The roadwarriors alice and venus sitting behind the NAT router tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat index fbcb631ff0..cd171e8c90 100644 --- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat @@ -1,9 +1,14 @@ -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES -sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf index f6cb39c781..fd9bf8c7cc 100644 --- a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf @@ -1,5 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 } diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf index f6cb39c781..7625e5066e 100644 --- a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf index f6cb39c781..fd9bf8c7cc 100644 --- a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf @@ -1,5 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 } diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat index bc7d237710..5f390cd62c 100644 --- a/testing/tests/ikev2/nat-rw-psk/posttest.dat +++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat @@ -1,6 +1,6 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +sun::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat index 1798d27b5a..105c42fa52 100644 --- a/testing/tests/ikev2/nat-rw-psk/pretest.dat +++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat @@ -1,16 +1,16 @@ alice::iptables-restore < /etc/iptables.rules venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules +alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/* moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::rm /etc/ipsec.d/cacerts/* -venus::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -alice::ipsec start -venus::ipsec start +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan sun::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t venus::expect-connection nat-t -venus::ipsec up nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf index f515d4bc73..ecc95b8375 100644 --- a/testing/tests/ikev2/nat-rw-psk/test.conf +++ b/testing/tests/ikev2/nat-rw-psk/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt index 58b28bad29..1ee91b74dd 100644 --- a/testing/tests/ikev2/nat-rw/description.txt +++ b/testing/tests/ikev2/nat-rw/description.txt @@ -2,6 +2,7 @@ The roadwarriors alice and venus sitting behind the NAT router tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Authentication is based on X.509 certificates.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat index 2d265b0d13..ae6aaed337 100644 --- a/testing/tests/ikev2/nat-rw/evaltest.dat +++ b/testing/tests/ikev2/nat-rw/evaltest.dat @@ -1,16 +1,12 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon:: sleep 6::no output expected::NO bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf index 9d07c88e40..fd9bf8c7cc 100644 --- a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf index 93f4345989..7625e5066e 100644 --- a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf index 9d07c88e40..fd9bf8c7cc 100644 --- a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/nat-rw/hosts/venus/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat index bc7d237710..5f390cd62c 100644 --- a/testing/tests/ikev2/nat-rw/posttest.dat +++ b/testing/tests/ikev2/nat-rw/posttest.dat @@ -1,6 +1,6 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +sun::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat index 36d23b5704..a1f1cffea7 100644 --- a/testing/tests/ikev2/nat-rw/pretest.dat +++ b/testing/tests/ikev2/nat-rw/pretest.dat @@ -3,11 +3,11 @@ venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::ipsec start -alice::ipsec start -venus::ipsec start +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan sun::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t venus::expect-connection nat-t -venus::ipsec up nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf index f515d4bc73..ecc95b8375 100644 --- a/testing/tests/ikev2/nat-rw/test.conf +++ b/testing/tests/ikev2/nat-rw/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/nat-virtual-ip/description.txt b/testing/tests/ikev2/nat-virtual-ip/description.txt old mode 100644 new mode 100755 index 31d24cda67..3d13a29267 --- a/testing/tests/ikev2/nat-virtual-ip/description.txt +++ b/testing/tests/ikev2/nat-virtual-ip/description.txt @@ -1,6 +1,6 @@ The router moon sets up a connection to gateway sun in order to reach the subnet hidden behind sun. The gateway sun assigns a -virtual IP address to router moon. A special updown script on moon -specified by leftupdown=/etc/nat_updown dynamically inserts a source NAT rule -which maps the IP address of client alice to the virtual IP of moon. -This allows alice to access client bob via the established IPsec tunnel. +virtual IP address to router moon. A special nat_updown script on moon +dynamically inserts a source NAT rule which maps the IP address of client alice to +the virtual IP of moon. This allows alice to access client bob via the +established IPsec tunnel. diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat old mode 100644 new mode 100755 index d4910ea678..f84d422245 --- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat @@ -1,5 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.4.0.1/32]::YES moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 46fc364ddd..0000000000 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsourceip=%config - leftupdown=/etc/nat_updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..14cba87cb4 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + remote_ts = 10.2.0.0/16 + + updown = /etc/nat_updown + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 1d7ba47eed..0000000000 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsourceip=10.4.0.0/24 - auto=add diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..addc7f1e3d --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.4.0.0/24 + } +} diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat old mode 100644 new mode 100755 index b9fbde7cb7..131a3c2b14 --- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/nat_updown diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat old mode 100644 new mode 100755 index 08ca6b54cd..2d3c8c1e20 --- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf old mode 100644 new mode 100755 index f46f137b40..6fc02816b7 --- a/testing/tests/ikev2/nat-virtual-ip/test.conf +++ b/testing/tests/ikev2/nat-virtual-ip/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun bob" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun bob" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-ah/description.txt b/testing/tests/ikev2/net2net-ah/description.txt old mode 100644 new mode 100755 index 7816aa2756..18626d08e8 --- a/testing/tests/ikev2/net2net-ah/description.txt +++ b/testing/tests/ikev2/net2net-ah/description.txt @@ -1,7 +1,9 @@ A connection between the subnets behind the gateways moon and sun is set up. -With ah=sha256-sha384! gateway moon proposes the use of AH. -Gateway sun selects SHA2_256_128 for integrity protection with its ah=sha256! -configuration. +The authentication is based on X.509 certificates. With ah=sha256-sha384 +gateway moon proposes the use of AH. Gateway sun selects HMAC_SHA2_256_128 +for integrity protection with its ah=sha256 configuration.

-Upon the successful establishment of the AH CHILD SA, client alice behind -gateway moon pings client bob located behind gateway sun. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-ah/evaltest.dat b/testing/tests/ikev2/net2net-ah/evaltest.dat old mode 100644 new mode 100755 index 69a7165cf8..bc4305ee66 --- a/testing/tests/ikev2/net2net-ah/evaltest.dat +++ b/testing/tests/ikev2/net2net-ah/evaltest.dat @@ -1,11 +1,5 @@ -sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA2_256_128/HMAC_SHA2_384_192/NO_EXT_SEQ::YES -sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*AH.*integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES -moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES -sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e8eaa4887c..0000000000 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - ah=sha256-sha384! - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..32a76978f7 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4e94ee39e1 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256-sha384 + + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 95e90fd09d..0000000000 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - ah=sha256! - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..32a76978f7 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ab4b369ebb --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + ah_proposals = sha256 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/ikev2/net2net-ah/posttest.dat b/testing/tests/ikev2/net2net-ah/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev2/net2net-ah/posttest.dat +++ b/testing/tests/ikev2/net2net-ah/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev2/net2net-ah/pretest.dat +++ b/testing/tests/ikev2/net2net-ah/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-ah/test.conf b/testing/tests/ikev2/net2net-ah/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev2/net2net-ah/test.conf +++ b/testing/tests/ikev2/net2net-ah/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-cert/description.txt b/testing/tests/ikev2/net2net-cert/description.txt old mode 100644 new mode 100755 index 7eea9192f7..b00bf17cc2 --- a/testing/tests/ikev2/net2net-cert/description.txt +++ b/testing/tests/ikev2/net2net-cert/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat old mode 100644 new mode 100755 index fe4aa5ab10..4c56d5299b --- a/testing/tests/ikev2/net2net-cert/evaltest.dat +++ b/testing/tests/ikev2/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 2cb7f03e01..ad4c18e437 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - signature_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 2cb7f03e01..ad4c18e437 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - signature_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..cc6a5bff73 --- a/testing/tests/ikev2/net2net-cert/posttest.dat +++ b/testing/tests/ikev2/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev2/net2net-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-cert/test.conf +++ b/testing/tests/ikev2/net2net-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-childless/description.txt b/testing/tests/ikev2/net2net-childless/description.txt similarity index 100% rename from testing/tests/swanctl/net2net-childless/description.txt rename to testing/tests/ikev2/net2net-childless/description.txt diff --git a/testing/tests/swanctl/net2net-childless/evaltest.dat b/testing/tests/ikev2/net2net-childless/evaltest.dat similarity index 100% rename from testing/tests/swanctl/net2net-childless/evaltest.dat rename to testing/tests/ikev2/net2net-childless/evaltest.dat diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-childless/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-childless/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-childless/posttest.dat similarity index 100% rename from testing/tests/swanctl/net2net-cert/posttest.dat rename to testing/tests/ikev2/net2net-childless/posttest.dat diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-childless/pretest.dat similarity index 100% rename from testing/tests/swanctl/net2net-cert/pretest.dat rename to testing/tests/ikev2/net2net-childless/pretest.dat diff --git a/testing/tests/swanctl/net2net-childless/test.conf b/testing/tests/ikev2/net2net-childless/test.conf similarity index 100% rename from testing/tests/swanctl/net2net-childless/test.conf rename to testing/tests/ikev2/net2net-childless/test.conf diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt old mode 100644 new mode 100755 index 9893359c0c..d3d348b35c --- a/testing/tests/ikev2/net2net-dnssec/description.txt +++ b/testing/tests/ikev2/net2net-dnssec/description.txt @@ -2,7 +2,7 @@ A connection between the subnets behind the gateways moon and sun The authentication is based on trustworthy public keys stored as IPSECKEY resource records in the Domain Name System (DNS) and protected by DNSSEC.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat old mode 100644 new mode 100755 index f5a1a5d097..46ad0df42c --- a/testing/tests/ikev2/net2net-dnssec/evaltest.dat +++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat @@ -1,9 +1,7 @@ moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES sun:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a7799439ed..0000000000 --- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftid=moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftsigkey=moonPub.pem - leftauth=pubkey - leftfirewall=yes - right=sun.strongswan.org - rightid=sun.strongswan.org - rightsubnet=10.2.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index d4c8c5595c..82a86a5c66 --- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf @@ -1,15 +1,19 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown plugins { ipseckey { enable = yes } unbound { - # trust_anchors = /etc/ipsec.d/dnssec.keys - # resolv_conf = /etc/resolv.conf + trust_anchors = /etc/swanctl/dnssec.keys + resolv_conf = /etc/resolv.conf } } } diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fcbb025968 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + pubkeys = moonPub.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 06704e68ac..0000000000 --- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftid=sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftsigkey=sunPub.pem - leftauth=pubkey - leftfirewall=yes - right=moon.strongswan.org - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index d4c8c5595c..82a86a5c66 --- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf @@ -1,15 +1,19 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown plugins { ipseckey { enable = yes } unbound { - # trust_anchors = /etc/ipsec.d/dnssec.keys - # resolv_conf = /etc/resolv.conf + trust_anchors = /etc/swanctl/dnssec.keys + resolv_conf = /etc/resolv.conf } } } diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e8aaaa438d --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = sunPub.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat old mode 100644 new mode 100755 index c594c4dc8d..3eb4ac13ba --- a/testing/tests/ikev2/net2net-dnssec/posttest.dat +++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat @@ -1,8 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::cd /etc/swanctl; rm dnssec.keys pubkey/* +sun::cd /etc/swanctl; rm dnssec.keys pubkey/* moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/resolv.conf -sun::rm /etc/resolv.conf -moon::rm /etc/ipsec.d/dnssec.keys -sun::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat old mode 100644 new mode 100755 index c7e2c61623..9e143f0348 --- a/testing/tests/ikev2/net2net-dnssec/pretest.dat +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm x509/* x509ca/* +sun::cd /etc/swanctl; rm x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev2/net2net-dnssec/test.conf +++ b/testing/tests/ikev2/net2net-dnssec/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-ed25519/description.txt b/testing/tests/ikev2/net2net-ed25519/description.txt old mode 100644 new mode 100755 diff --git a/testing/tests/ikev2/net2net-ed25519/evaltest.dat b/testing/tests/ikev2/net2net-ed25519/evaltest.dat old mode 100644 new mode 100755 index cb29fa6bdb..ebbb8ae753 --- a/testing/tests/ikev2/net2net-ed25519/evaltest.dat +++ b/testing/tests/ikev2/net2net-ed25519/evaltest.dat @@ -1,9 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e85ec33e08..0000000000 --- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftauth=pubkey - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightauth=pubkey - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 54790b60fd..0000000000 --- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PKCS8 moonKey.pem diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 021f78e8c5..a35aea01cc --- a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf deleted file mode 100644 index cfe9955110..0000000000 --- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftauth=pubkey - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightauth=pubkey - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index e3850f0aa3..0000000000 --- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PKCS8 sunKey.pem - - - - - diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 021f78e8c5..a35aea01cc --- a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-ed25519/posttest.dat b/testing/tests/ikev2/net2net-ed25519/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..321fd34e2b --- a/testing/tests/ikev2/net2net-ed25519/posttest.dat +++ b/testing/tests/ikev2/net2net-ed25519/posttest.dat @@ -1,5 +1,7 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - +moon::rm /etc/swanctl/pkcs8/* +sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/ikev2/net2net-ed25519/pretest.dat b/testing/tests/ikev2/net2net-ed25519/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..1ab4f5f459 --- a/testing/tests/ikev2/net2net-ed25519/pretest.dat +++ b/testing/tests/ikev2/net2net-ed25519/pretest.dat @@ -1,7 +1,9 @@ +moon::rm /etc/swanctl/rsa/moonKey.pem +sun::rm /etc/swanctl/rsa/sunKey.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-ed25519/test.conf b/testing/tests/ikev2/net2net-ed25519/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-ed25519/test.conf +++ b/testing/tests/ikev2/net2net-ed25519/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-esn/description.txt b/testing/tests/ikev2/net2net-esn/description.txt old mode 100644 new mode 100755 index c9da6820bf..35c8ba8dec --- a/testing/tests/ikev2/net2net-esn/description.txt +++ b/testing/tests/ikev2/net2net-esn/description.txt @@ -1,7 +1,10 @@ A connection between the subnets behind the gateways moon and sun is set up. -With esp=aes128-sha256-esn-noesn! gateway moon proposes the use of +With esp=aes128gcm128-esn-noesn-x25519 gateway moon proposes the use of Extended Sequence Numbers but can also live without them. Gateway sun -defines esp=aes128-sha256-esn! and thus decides on the use of ESN. +defines esp=aes128gcm128-esn-x25519 and thus decides on the use of ESN. +The authentication is based on X.509 certificates.

-Upon the successful establishment of the CHILD SA with ESN, client alice behind -gateway moon pings client bob located behind gateway sun 10 times. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat old mode 100644 new mode 100755 index 534ace9e1b..1cf59f7493 --- a/testing/tests/ikev2/net2net-esn/evaltest.dat +++ b/testing/tests/ikev2/net2net-esn/evaltest.dat @@ -1,16 +1,7 @@ -sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES -sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES -sun:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 esn=1.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128 esn=1.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES -sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES - diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 71f5442c0f..0000000000 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128-sha256-esn-noesn! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..ad4c18e437 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..de7927edaf --- /dev/null +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-esn-noesn-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 9e0df81115..0000000000 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128-sha256-esn! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index ca7ff4f591..ad4c18e437 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf @@ -1,12 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - cfg = 2 - knl = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0278fc93c0 --- /dev/null +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-esn-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..cc6a5bff73 --- a/testing/tests/ikev2/net2net-esn/posttest.dat +++ b/testing/tests/ikev2/net2net-esn/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat old mode 100644 new mode 100755 index bcc2cb04d8..2d3c8c1e20 --- a/testing/tests/ikev2/net2net-esn/pretest.dat +++ b/testing/tests/ikev2/net2net-esn/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-esn/test.conf +++ b/testing/tests/ikev2/net2net-esn/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat deleted file mode 100644 index 0ec8acc195..0000000000 --- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES -sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES -moon::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 3 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message (.*bytes) into 2 fragments::YES -moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES -moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembled fragmented IKE message::YES -sun::cat /var/log/daemon.log::received fragment #1 of 3, waiting for complete IKE message::YES -sun::cat /var/log/daemon.log::received fragment #2 of 3, waiting for complete IKE message::YES -sun::cat /var/log/daemon.log::received fragment #3 of 3, reassembled fragmented IKE message::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bb0b2b0697..0000000000 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 855bb44096..0000000000 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/swanctl/net2net-gw/description.txt b/testing/tests/ikev2/net2net-gw/description.txt similarity index 100% rename from testing/tests/swanctl/net2net-gw/description.txt rename to testing/tests/ikev2/net2net-gw/description.txt diff --git a/testing/tests/swanctl/net2net-gw/evaltest.dat b/testing/tests/ikev2/net2net-gw/evaltest.dat similarity index 100% rename from testing/tests/swanctl/net2net-gw/evaltest.dat rename to testing/tests/ikev2/net2net-gw/evaltest.dat diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/net2net-gw/posttest.dat b/testing/tests/ikev2/net2net-gw/posttest.dat similarity index 100% rename from testing/tests/swanctl/net2net-gw/posttest.dat rename to testing/tests/ikev2/net2net-gw/posttest.dat diff --git a/testing/tests/swanctl/net2net-gw/pretest.dat b/testing/tests/ikev2/net2net-gw/pretest.dat similarity index 100% rename from testing/tests/swanctl/net2net-gw/pretest.dat rename to testing/tests/ikev2/net2net-gw/pretest.dat diff --git a/testing/tests/swanctl/net2net-gw/test.conf b/testing/tests/ikev2/net2net-gw/test.conf similarity index 100% rename from testing/tests/swanctl/net2net-gw/test.conf rename to testing/tests/ikev2/net2net-gw/test.conf diff --git a/testing/tests/ikev2/net2net-multicast/evaltest.dat b/testing/tests/ikev2/net2net-multicast/evaltest.dat index 7649abc5b8..6efa23a00b 100644 --- a/testing/tests/ikev2/net2net-multicast/evaltest.dat +++ b/testing/tests/ikev2/net2net-multicast/evaltest.dat @@ -1,11 +1,9 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf index 904a5fa6ee..812c12bf94 100644 --- a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -1,9 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf index 904a5fa6ee..1c5da7b88b 100644 --- a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -1,9 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-multicast/posttest.dat b/testing/tests/ikev2/net2net-multicast/posttest.dat index dff181797e..e28c8d4891 100644 --- a/testing/tests/ikev2/net2net-multicast/posttest.dat +++ b/testing/tests/ikev2/net2net-multicast/posttest.dat @@ -1,2 +1,3 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan diff --git a/testing/tests/ikev2/net2net-multicast/pretest.dat b/testing/tests/ikev2/net2net-multicast/pretest.dat index e777dba060..b323c5e22e 100644 --- a/testing/tests/ikev2/net2net-multicast/pretest.dat +++ b/testing/tests/ikev2/net2net-multicast/pretest.dat @@ -1,7 +1,7 @@ moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-multicast/test.conf b/testing/tests/ikev2/net2net-multicast/test.conf index 48597379a0..579978772d 100644 --- a/testing/tests/ikev2/net2net-multicast/test.conf +++ b/testing/tests/ikev2/net2net-multicast/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice sun bob" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-ntru-cert/description.txt b/testing/tests/ikev2/net2net-ntru-cert/description.txt deleted file mode 100644 index 638a671108..0000000000 --- a/testing/tests/ikev2/net2net-ntru-cert/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The key exchange is based on NTRU encryption with a security strength of 256 bits. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f29a8b2a29..0000000000 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-ntru256! - esp=aes256-sha512! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a7098feb3..0000000000 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown - - multiple_authentication = no - send_vendor_id = yes - - syslog { - daemon { - ike = 4 - lib = 4 - } - } - plugins { - ntru { - parameter_set = optimum - } - } -} diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 76fbc8024b..0000000000 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-ntru256! - esp=aes256-sha512! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 8386ed2e36..0000000000 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - send_vendor_id = yes - syslog { - daemon { - ike = 4 - lib = 4 - } - } -} diff --git a/testing/tests/ikev2/net2net-pkcs12/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt old mode 100644 new mode 100755 index e66ea1918a..b00bf17cc2 --- a/testing/tests/ikev2/net2net-pkcs12/description.txt +++ b/testing/tests/ikev2/net2net-pkcs12/description.txt @@ -1,8 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates and an RSA private key stored in -PKCS12 format. +The authentication is based on X.509 certificates.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat old mode 100644 new mode 100755 index fe4aa5ab10..4c56d5299b --- a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat +++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0296e1804d..0000000000 --- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 802cfc681f..0000000000 --- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ" diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 4494daee7e..d165857f0d --- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs12 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..082b730711 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + pkcs12-moon { + file = moonCert.p12 + secret = "kUqd8O7mzbjXNJKQ" + } +} \ No newline at end of file diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 6dcedd0e62..0000000000 --- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 3dc85528c3..0000000000 --- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 sunCert.p12 "IxjQVCF3JGI+MoPi" - - - - - diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 4494daee7e..d165857f0d --- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs12 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..ba0cf38a3f --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + pkcs12-sun { + file = sunCert.p12 + secret = "IxjQVCF3JGI+MoPi" + } +} \ No newline at end of file diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat old mode 100644 new mode 100755 index 0fbba487c4..0b8cb38af8 --- a/testing/tests/ikev2/net2net-pkcs12/posttest.dat +++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat @@ -1,6 +1,7 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::rm /etc/swanctl/pkcs12/* +sun::rm /etc/swanctl/pkcs12/* moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/private/moonCert.p12 -sun::rm /etc/ipsec.d/private/sunCert.p12 diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat old mode 100644 new mode 100755 index 3f3f7d1007..e935b95d5d --- a/testing/tests/ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat @@ -1,11 +1,9 @@ -moon::rm /etc/ipsec.d/private/moonKey.pem -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -sun::rm /etc/ipsec.d/private/sunKey.pem -sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-pkcs12/test.conf +++ b/testing/tests/ikev2/net2net-pkcs12/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-psk-fail/description.txt b/testing/tests/ikev2/net2net-psk-fail/description.txt old mode 100644 new mode 100755 diff --git a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat old mode 100644 new mode 100755 index 3f5092893b..b538964176 --- a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat +++ b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat @@ -1,6 +1,4 @@ sun:: cat /var/log/daemon.log::tried 1 shared key for.*sun.strongswan.org.*moon.strongswan.org.*but MAC mismatched::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*state=ESTABLISHED.*state=INSTALLED mode=TUNNEL::NO diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 38ebf966c0..0000000000 --- a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,4 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx - diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c6afd9a1e7 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike { + id-1 = moon.strongswan.org + id-2 = sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx + } +} \ No newline at end of file diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index be95c4d995..0000000000 --- a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6fe987759f --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = sun.strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike { + id-1 = moon.strongswan.org + id-2 =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..82a2de139d --- a/testing/tests/ikev2/net2net-psk-fail/posttest.dat +++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat old mode 100644 new mode 100755 index c7e2c61623..e935b95d5d --- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf old mode 100644 new mode 100755 index eb4822b5d3..07a3b247a1 --- a/testing/tests/ikev2/net2net-psk-fail/test.conf +++ b/testing/tests/ikev2/net2net-psk-fail/test.conf @@ -5,17 +5,21 @@ # All guest instances that are required for this test # -VIRTHOSTS="moon winnetou sun" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # -DIAGRAM="m-w-s.png" - +DIAGRAM="a-m-w-s-b.png" + # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="" +TCPDUMPHOSTS="sun" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt old mode 100644 new mode 100755 index 07320d7313..e064a99deb --- a/testing/tests/ikev2/net2net-psk/description.txt +++ b/testing/tests/ikev2/net2net-psk/description.txt @@ -1,7 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on Preshared Keys (PSK).

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat old mode 100644 new mode 100755 index fe4aa5ab10..4c56d5299b --- a/testing/tests/ikev2/net2net-psk/evaltest.dat +++ b/testing/tests/ikev2/net2net-psk/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f495194a76..0000000000 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=secret - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 26f16ac6e6..0000000000 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=secret - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index be95c4d995..0000000000 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 1188d686d9..ad4c18e437 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev2/net2net-psk/posttest.dat +++ b/testing/tests/ikev2/net2net-psk/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat old mode 100644 new mode 100755 index c7e2c61623..e935b95d5d --- a/testing/tests/ikev2/net2net-psk/pretest.dat +++ b/testing/tests/ikev2/net2net-psk/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf old mode 100644 new mode 100755 index afa2accbec..07a3b247a1 --- a/testing/tests/ikev2/net2net-psk/test.conf +++ b/testing/tests/ikev2/net2net-psk/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-pubkey/description.txt b/testing/tests/ikev2/net2net-pubkey/description.txt index 1cb90f13fe..d05306e463 100644 --- a/testing/tests/ikev2/net2net-pubkey/description.txt +++ b/testing/tests/ikev2/net2net-pubkey/description.txt @@ -1,7 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on raw RSA keys loaded in PKCS#1 format.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat index d39cb07ccd..b5398044eb 100644 --- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat +++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7c8346b02f..0000000000 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftsigkey=moonPub.pem - leftauth=pubkey - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - rightsigkey=sunPub.pem - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf index 4cc2e21c64..29e75f7b8c 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown } diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e94022fca6..0000000000 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftid=@sun.strongswan.org - leftsigkey=sunPub.pem - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightsigkey=moonPub.pem - auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf index 4cc2e21c64..29e75f7b8c 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown } diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat index 675b029763..468caf3e60 100644 --- a/testing/tests/ikev2/net2net-pubkey/posttest.dat +++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat @@ -1,8 +1,7 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/private/moonKey.der -sun::rm /etc/ipsec.d/private/sunKey.der -moon::rm /etc/ipsec.d/certs/*.der -sun::rm /etc/ipsec.d/certs/*.der +moon::rm /etc/swanctl/pubkey/* +sun::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat index 969c42337c..fcd4335475 100644 --- a/testing/tests/ikev2/net2net-pubkey/pretest.dat +++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat @@ -1,9 +1,9 @@ -moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::iptables-restore < /etc/iptables.rules +sun::cd /etc/swanctl; rm x509/* x509ca/* +moon::cd /etc/swanctl; rm x509/* x509ca/* +sun::systemctl start strongswan +moon::systemctl start strongswan +sun::expect-connection gw-gw +moon::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf index afa2accbec..07a3b247a1 100644 --- a/testing/tests/ikev2/net2net-pubkey/test.conf +++ b/testing/tests/ikev2/net2net-pubkey/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-rfc3779/description.txt b/testing/tests/ikev2/net2net-rfc3779/description.txt old mode 100644 new mode 100755 index 1e56ce687f..778d139b6b --- a/testing/tests/ikev2/net2net-rfc3779/description.txt +++ b/testing/tests/ikev2/net2net-rfc3779/description.txt @@ -1,11 +1,11 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates containing RFC 3779 IP address -block constraints. Both moon and sun set rightsubnet=0.0.0.0/0 thus +block constraints. Both moon and sun set remote_ts = 0.0.0.0/0 thus allowing the peers to narrow down the address range to their actual subnets 10.1.0.0/16 and 10.2.0.0/16, respectively. These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat old mode 100644 new mode 100755 index ae970ba61e..42adb2e8fa --- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat @@ -1,13 +1,13 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES -moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -sun:: cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES +moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +sun:: cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES sun:: cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES -sun:: cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -sun:: cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +sun:: cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +sun:: cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES sun:: cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ec7d9a79ac..0000000000 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c9a56d7485..b8a665af7b --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici syslog { daemon { cfg = 2 diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf deleted file mode 100644 index cc86ebc0a8..0000000000 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index c9a56d7485..b8a665af7b --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici syslog { daemon { cfg = 2 diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat old mode 100644 new mode 100755 index 837738fc6a..cc6a5bff73 --- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat old mode 100644 new mode 100755 index 16eb9a67a8..2d3c8c1e20 --- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-rfc3779/test.conf +++ b/testing/tests/ikev2/net2net-rfc3779/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt old mode 100644 new mode 100755 index 323f09555a..20640ef85a --- a/testing/tests/ikev2/net2net-route/description.txt +++ b/testing/tests/ikev2/net2net-route/description.txt @@ -5,5 +5,5 @@ A subsequent ping issued by client alice behind gateway moon to bob located behind gateway sun triggers the %trap eroute and leads to the automatic establishment of the subnet-to-subnet tunnel.

-leftfirewall=yes automatically inserts iptables-based firewall rules +The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat old mode 100644 new mode 100755 index 3b247fd6c5..5a95371419 --- a/testing/tests/ikev2/net2net-route/evaltest.dat +++ b/testing/tests/ikev2/net2net-route/evaltest.dat @@ -1,8 +1,7 @@ -moon:: cat /var/log/daemon.log::creating acquire job::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-route/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..61d2bd9e48 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-route/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev2/net2net-route/posttest.dat +++ b/testing/tests/ikev2/net2net-route/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat old mode 100644 new mode 100755 index 57dc45f996..5b2546feeb --- a/testing/tests/ikev2/net2net-route/pretest.dat +++ b/testing/tests/ikev2/net2net-route/pretest.dat @@ -1,7 +1,7 @@ -moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net +moon::iptables-restore < /etc/iptables.rules +sun::systemctl start strongswan +moon::systemctl start strongswan +sun::expect-connection gw-gw +moon::expect-connection gw-gw alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-route/test.conf +++ b/testing/tests/ikev2/net2net-route/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt b/testing/tests/ikev2/net2net-sha3-rsa-cert/description.txt similarity index 100% rename from testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt rename to testing/tests/ikev2/net2net-sha3-rsa-cert/description.txt diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/evaltest.dat similarity index 100% rename from testing/tests/swanctl/net2net-cert/evaltest.dat rename to testing/tests/ikev2/net2net-sha3-rsa-cert/evaltest.dat diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bcc2742f78 --- /dev/null +++ b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..12cee0fc6d --- /dev/null +++ b/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/net2net-childless/posttest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/posttest.dat similarity index 100% rename from testing/tests/swanctl/net2net-childless/posttest.dat rename to testing/tests/ikev2/net2net-sha3-rsa-cert/posttest.dat diff --git a/testing/tests/swanctl/net2net-childless/pretest.dat b/testing/tests/ikev2/net2net-sha3-rsa-cert/pretest.dat similarity index 100% rename from testing/tests/swanctl/net2net-childless/pretest.dat rename to testing/tests/ikev2/net2net-sha3-rsa-cert/pretest.dat diff --git a/testing/tests/swanctl/net2net-cert/test.conf b/testing/tests/ikev2/net2net-sha3-rsa-cert/test.conf similarity index 100% rename from testing/tests/swanctl/net2net-cert/test.conf rename to testing/tests/ikev2/net2net-sha3-rsa-cert/test.conf diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt old mode 100644 new mode 100755 index f5320685eb..9c67ed6051 --- a/testing/tests/ikev2/net2net-start/description.txt +++ b/testing/tests/ikev2/net2net-start/description.txt @@ -2,7 +2,5 @@ A tunnel connecting the subnets behind the gateways moon and sun, respectively, is automatically established by means of the setting auto=start in ipsec.conf. The connection is tested by client alice behind gateway moon pinging the client bob located behind -gateway sun. -

-leftfirewall=yes automatically inserts iptables-based firewall rules -that let pass the tunneled traffic. +gateway sun. The updown script automatically inserts iptables-based +firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat old mode 100644 new mode 100755 index 5c4aa85f88..4c56d5299b --- a/testing/tests/ikev2/net2net-start/evaltest.dat +++ b/testing/tests/ikev2/net2net-start/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-start/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 index 8d89cd0bb3..ad4c18e437 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/net2net-start/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat old mode 100644 new mode 100755 index 1f7aa73a15..cc6a5bff73 --- a/testing/tests/ikev2/net2net-start/posttest.dat +++ b/testing/tests/ikev2/net2net-start/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat old mode 100644 new mode 100755 index b3f3710416..77a8e1a567 --- a/testing/tests/ikev2/net2net-start/pretest.dat +++ b/testing/tests/ikev2/net2net-start/pretest.dat @@ -1,5 +1,5 @@ -moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -moon::sleep 1 +moon::iptables-restore < /etc/iptables.rules +sun::systemctl start strongswan +moon::systemctl start strongswan +moon::sleep 0.5 diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf old mode 100644 new mode 100755 index 646b8b3e64..07a3b247a1 --- a/testing/tests/ikev2/net2net-start/test.conf +++ b/testing/tests/ikev2/net2net-start/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/ocsp-disabled/description.txt b/testing/tests/ikev2/ocsp-disabled/description.txt similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/description.txt rename to testing/tests/ikev2/ocsp-disabled/description.txt diff --git a/testing/tests/swanctl/ocsp-disabled/evaltest.dat b/testing/tests/ikev2/ocsp-disabled/evaltest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/evaltest.dat rename to testing/tests/ikev2/ocsp-disabled/evaltest.dat diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/ikev2/ocsp-disabled/posttest.dat similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/posttest.dat rename to testing/tests/ikev2/ocsp-disabled/posttest.dat diff --git a/testing/tests/ikev2/ocsp-disabled/pretest.dat b/testing/tests/ikev2/ocsp-disabled/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2/ocsp-disabled/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/ocsp-disabled/test.conf b/testing/tests/ikev2/ocsp-disabled/test.conf similarity index 100% rename from testing/tests/swanctl/ocsp-disabled/test.conf rename to testing/tests/ikev2/ocsp-disabled/test.conf diff --git a/testing/tests/ikev2/ocsp-local-cert/description.txt b/testing/tests/ikev2/ocsp-local-cert/description.txt index 61f7d99571..a54bc67764 100644 --- a/testing/tests/ikev2/ocsp-local-cert/description.txt +++ b/testing/tests/ikev2/ocsp-local-cert/description.txt @@ -1,8 +1,8 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses a self-signed -OCSP signer certificate that must be imported locally by the peers into -/etc/ipsec.d/ocspcerts/. A strongswan ca section in ipsec.conf +OCSP signer certificate that must be imported locally by the peers into the +/etc/swanctl/x509ocsp/ directory. A strongswan ca section in ipsec.conf defines an OCSP URI pointing to winnetou.

carol can successfully initiate an IPsec connection to moon since diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat index e931afb7e9..161d6b29e6 100644 --- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat @@ -1,12 +1,12 @@ -moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +moon::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES moon:: cat /var/log/daemon.log::requesting ocsp status from::YES -moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*OCSP Self-Signed Authority::YES moon:: cat /var/log/daemon.log::ocsp response is valid::YES moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES carol::cat /var/log/daemon.log::requesting ocsp status from::YES -carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by.*OCSP Self-Signed Authority::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 05e27f641a..0000000000 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..c7b494ddca 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..b3487e6741 --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e441e661f3..0000000000 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf index 7a64dce303..d9c31430be 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..39210bdbe3 --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-local-cert/posttest.dat b/testing/tests/ikev2/ocsp-local-cert/posttest.dat index 0c05c16a11..6e84fa99ec 100644 --- a/testing/tests/ikev2/ocsp-local-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/ocspcerts/* -carol::rm /etc/ipsec.d/ocspcerts/* +carol::systemctl stop strongswan +moon::systemctl stop strongswan +carol::rm /etc/swanctl/x509ocsp/* +moon::rm /etc/swanctl/x509ocsp/* \ No newline at end of file diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev2/ocsp-local-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/ocsp-local-cert/test.conf +++ b/testing/tests/ikev2/ocsp-local-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat deleted file mode 100644 index baeccb3574..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES -carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES -dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES -moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES -moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES -carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES -dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES -moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::certificate status is good::YES -dave:: cat /var/log/daemon.log::certificate status is good::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*CN=carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*CN=dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::ESTABLISHED.*CN=carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::ESTABLISHED.*CN=dave@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4d3aa1cc65..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 756d6ec513..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ba484eb5a6..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,41 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -ca research - cacert=researchCert.pem - ocspuri=http://ocsp.strongswan.org:8881 - auto=add - -ca sales - cacert=salesCert.pem - ocspuri=http://ocsp.strongswan.org:8882 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-multi-level/posttest.dat b/testing/tests/ikev2/ocsp-multi-level/posttest.dat deleted file mode 100644 index 1646d5ed2f..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat deleted file mode 100644 index b660f2dcfb..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -carol::expect-connection alice -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice \ No newline at end of file diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/ocsp-multi-level/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/description.txt b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt index 4fa492c144..15c491dad9 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt @@ -1,4 +1,4 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which is sending a normal host certificate not containing an OCSPSigning extended key usage flag. As a consequence diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index a6ae74fe36..bb271f8f51 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,7 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO moon:: cat /var/log/daemon.log::requesting ocsp status from::YES moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 05e27f641a..0000000000 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..b05ed2b339 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c6a44335d6 --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} + +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e441e661f3..0000000000 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf index 7a64dce303..b05ed2b339 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b86e0cf7dd --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,22 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat index 1af117cf0a..f9d38be139 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat @@ -1,3 +1,3 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index 903d1e9a8d..25d5b9c296 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,6 +1,6 @@ moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-revoked/description.txt b/testing/tests/ikev2/ocsp-revoked/description.txt index 73d0725492..c005363499 100644 --- a/testing/tests/ikev2/ocsp-revoked/description.txt +++ b/testing/tests/ikev2/ocsp-revoked/description.txt @@ -1,9 +1,9 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses an OCSP signer certificate issued by the strongSwan CA. This certificate contains an OCSPSigning -extended key usage flag. A strongswan ca section in ipsec.conf defines an +extended key usage flag. A strongswan authorities section in swanctl.conf defines an OCSP URI pointing to winnetou.

-carol tries to initiate an IPsec connection to moon but fails +carol tries to initiate an IPsec connection to moon but fails because carol's certificate has been revoked. diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index 97006c93e0..5234b5efc5 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,8 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO moon:: cat /var/log/daemon.log::requesting ocsp status from::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES moon:: cat /var/log/daemon.log::certificate was revoked on::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO - diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 17225d287c..0000000000 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..b05ed2b339 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c6a44335d6 --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} + +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e441e661f3..0000000000 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf index 7a64dce303..b05ed2b339 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..58f2ee9e40 --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/ocsp-revoked/posttest.dat b/testing/tests/ikev2/ocsp-revoked/posttest.dat index c6d6235f9d..79ad33de60 100644 --- a/testing/tests/ikev2/ocsp-revoked/posttest.dat +++ b/testing/tests/ikev2/ocsp-revoked/posttest.dat @@ -1,2 +1,2 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat index d7f7959f1f..1cf07245b0 100644 --- a/testing/tests/ikev2/ocsp-revoked/pretest.dat +++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/ocsp-revoked/test.conf +++ b/testing/tests/ikev2/ocsp-revoked/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-root-cert/description.txt b/testing/tests/ikev2/ocsp-root-cert/description.txt index 9574aa5b15..376a4c7e20 100644 --- a/testing/tests/ikev2/ocsp-root-cert/description.txt +++ b/testing/tests/ikev2/ocsp-root-cert/description.txt @@ -1,8 +1,7 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which uses the strongSwan CA's -private key to sign OCSP responses. A strongswan ca section in ipsec.conf -defines an OCSP URI pointing to winnetou. -

+private key to sign OCSP responses. +

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat index 0f852d7b1a..f054a84c6b 100644 --- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat @@ -1,3 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::requesting ocsp status::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES moon:: cat /var/log/daemon.log::ocsp response is valid::YES @@ -6,5 +8,3 @@ carol::cat /var/log/daemon.log::requesting ocsp status::YES carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 05e27f641a..0000000000 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..ba2c31e550 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..445c79f52b --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} + +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e441e661f3..0000000000 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf index 7a64dce303..ba2c31e550 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..578c05ccac --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi similarity index 94% rename from testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi rename to testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 59c3563027..74ca4181cc 100755 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -1,6 +1,6 @@ #!/bin/bash -cd /etc/openssl +cd /etc/ca echo "Content-type: application/ocsp-response" echo "" diff --git a/testing/tests/ikev2/ocsp-root-cert/posttest.dat b/testing/tests/ikev2/ocsp-root-cert/posttest.dat index c6d6235f9d..f9d38be139 100644 --- a/testing/tests/ikev2/ocsp-root-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/posttest.dat @@ -1,2 +1,3 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat index d7f7959f1f..25d5b9c296 100644 --- a/testing/tests/ikev2/ocsp-root-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat @@ -1,5 +1,6 @@ -moon::ipsec start -carol::ipsec start +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf index 892f51cd93..fdda0a04cb 100644 --- a/testing/tests/ikev2/ocsp-root-cert/test.conf +++ b/testing/tests/ikev2/ocsp-root-cert/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt index 7c7efb68e5..6517d5f837 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt @@ -1,10 +1,10 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses an OCSP signer certificate issued by the strongSwan CA. This certificate contains an OCSPSigning extended key usage flag. carol's certificate includes an OCSP URI -in an authority information access extension pointing to winnetou. -Therefore no special ca section information is needed in moon's ipsec.conf. -

+in an authority information access extension pointing to winnetou. +Therefore no special authorities section information is needed in moon's swanctl.conf. +

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index 7c7813cffb..45972168dc 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,4 +1,4 @@ -carol::ipsec listcainfos 2> /dev/null::ocspuris.*http://ocsp.strongswan.org::YES +carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES moon:: cat /var/log/daemon.log::requesting ocsp status::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES moon:: cat /var/log/daemon.log::ocsp response is valid::YES @@ -7,6 +7,5 @@ carol::cat /var/log/daemon.log::requesting ocsp status::YES carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES - +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 17225d287c..0000000000 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..c7b494ddca 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2cec8851c1..0000000000 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index 7a64dce303..d9c31430be 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat index c6d6235f9d..20a78fa78f 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat @@ -1,2 +1,3 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/test.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat deleted file mode 100644 index 934df4e5bb..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon:: cat /var/log/daemon.log::libcurl request failed::YES -moon:: cat /var/log/daemon.log::certificate status is not available::YES -moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES -moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf deleted file mode 100644 index fa68b2a2c9..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=ifuri - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 48e8fc6ff7..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b007f527b7..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=ifuri - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 1ed94f98e3..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=ifuri - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat deleted file mode 100644 index 1646d5ed2f..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat deleted file mode 100644 index eedd737ac3..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection alice -carol::expect-connection alice -carol::ipsec up alice -dave::expect-connection venus -dave::ipsec up venus diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt index ad7de9eccc..19b3a34709 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt +++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt @@ -1,9 +1,9 @@ This scenario is based on ikev2/ocsp-signer-cert and tests the timeouts of the libcurl library used for http-based OCSP fetching -by adding an ocspuri2 in moon's strongswan ca section that cannot be resolved by -DNS and an ocspuri2 in carol's strongswan ca section on which no -OCSP server is listening. Thanks to timeouts the connection can nevertheless -be established successfully by contacting a valid OCSP URI contained in +by adding an ocsp_uris entry in moon's strongswan authority section that cannot +be resolved by DNS and an ocsp_uris entry in carol's strongswan authority +section on which no OCSP server is listening. Thanks to timeouts the connection can +nevertheless be established successfully by contacting a valid OCSP URI contained in carol's certificate.

As an additional test the OCSP response is delayed by a few seconds in order to check diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index d4e41dbb88..186228d7fa 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -8,5 +8,5 @@ carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 74d363fe14..0000000000 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri1=http://bob.strongswan.org:8800 - ocspuri2=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63be..0000000000 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..c7b494ddca 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..6907b8d68d --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://bob.strongswan.org:8800, http://ocsp.strongswan.org:8880 + } +} + diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f307c12d0b..0000000000 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri2=http://ocsp2.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf index 7a64dce303..d9c31430be 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..645d5b8d6d --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp2.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi similarity index 94% rename from testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi rename to testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 46a716f838..7dd3ddb0f8 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -1,6 +1,6 @@ #!/bin/bash -cd /etc/openssl +cd /etc/ca echo "Content-type: application/ocsp-response" echo "" diff --git a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat index c6d6235f9d..6e84fa99ec 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat @@ -1,2 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan +carol::rm /etc/swanctl/x509ocsp/* +moon::rm /etc/swanctl/x509ocsp/* \ No newline at end of file diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat index d7f7959f1f..87be755a3c 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat @@ -1,5 +1,5 @@ -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt index d17534b1b5..befb3fc06e 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt @@ -1,7 +1,6 @@ This scenario is based on ikev2/ocsp-signer-cert and tests the timeouts of the libcurl library used for http-based OCSP fetching -by adding an ocspuri1 in moon's strongswan ca section on which no OCSP -server is listening and an ocspuri2 that cannot be resolved by DNS. +by adding two ocsp_uris in moon's strongswan authorities section on the first +of which no OCSP server is listening and the second URI cannot be resolved by DNS. Since the certificate status is unknown the connection setup is aborted by moon with an AUTHORIZATION_FAILED notification sent to carol. - diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index cb7997f725..9153d49310 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -2,6 +2,5 @@ moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO - +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 459da14673..0000000000 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri1=http://bob.strongswan.org:8800 - ocspuri2=http://ocsp2.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..c7b494ddca 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..078345898c --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://bob.strongswan.org:8800, http://ocsp2.strongswan.org:8880 + } +} + diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a464f017a0..0000000000 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri1=http://bob.strongswan.org:8800 - ocspuri2=http://ocsp2.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf index 7a64dce303..d9c31430be 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..59dde6f957 --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://bob.strongswan.org:8800, http://ocsp2.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi new file mode 100755 index 0000000000..7dd3ddb0f8 --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -0,0 +1,14 @@ +#!/bin/bash + +cd /etc/ca + +echo "Content-type: application/ocsp-response" +echo "" + +# simulate a delayed response +sleep 2 + +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat index cf72480d45..85f0d30a3a 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables -F OUTPUT carol::iptables -F OUTPUT diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat index 0c9d5a9b16..e16270e2f1 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat @@ -1,7 +1,7 @@ moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt index f581dd3192..4c078117f6 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt +++ b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt @@ -1,9 +1,8 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which is sending its self-signed -OCSP signer certificate. A strongswan ca section in ipsec.conf -defines an OCSP URI pointing to winnetou. -

+OCSP signer certificate. +

carol cannot successfully initiate an IPsec connection to moon since the self-signed certificate contained in the OCSP response will not be accepted by moon. diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index 0e97d45bd2..1c6a21f934 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -2,5 +2,5 @@ moon:: cat /var/log/daemon.log::requesting ocsp status from::YES moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer certificate::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 05e27f641a..0000000000 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf index 48e8fc6ff7..c7b494ddca 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..6fd22973fa --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e441e661f3..0000000000 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -ca strongswan-ca - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - keyexchange=ikev2 - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf index 7a64dce303..d9c31430be 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7103071954 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat index 1af117cf0a..f9d38be139 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat @@ -1,3 +1,3 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index 903d1e9a8d..1e510f2309 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,6 +1,6 @@ moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf index 892f51cd93..c5b3ecc435 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/protoport-dual/description.txt b/testing/tests/ikev2/protoport-dual/description.txt index 7bed8b9590..a93abf119e 100644 --- a/testing/tests/ikev2/protoport-dual/description.txt +++ b/testing/tests/ikev2/protoport-dual/description.txt @@ -1,6 +1,8 @@ -Using the left|rightprotoport selectors, two IPsec tunnels -between the roadwarrior carol and the gateway moon are -defined. The first IPsec SA is restricted to ICMP packets and the second -covers TCP-based SSH connections. The established tunnels are tested -by carol by first pinging alice behind moon and -then setting up an SSH session to the same client. +Using [<protocol>/<port>] selectors in the +local_ts and remote_ts child parameters, two IPsec tunnels +between the roadwarrior carol and the gateway moon are defined. +The first CHILD_SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. +

+The established tunnels are tested by carol by first pinging alice +behind moon and then setting up an SSH session to the same client. diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat index 7d367e3c15..b5eec4b31f 100644 --- a/testing/tests/ikev2/protoport-dual/evaltest.dat +++ b/testing/tests/ikev2/protoport-dual/evaltest.dat @@ -1,9 +1,7 @@ -carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf index af5fa19ef1..91e32f7ba4 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/protoport-dual/posttest.dat +++ b/testing/tests/ikev2/protoport-dual/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat index 02f4aa82be..f0563179c1 100644 --- a/testing/tests/ikev2/protoport-dual/pretest.dat +++ b/testing/tests/ikev2/protoport-dual/pretest.dat @@ -1,10 +1,10 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-icmp -moon::expect-connection rw-ssh -carol::expect-connection home-icmp -carol::expect-connection home-ssh -carol::ipsec up home-icmp -carol::ipsec up home-ssh +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection icmp +moon::expect-connection ssh +carol::expect-connection icmp +carol::expect-connection ssh +carol::swanctl --initiate --child icmp 2> /dev/null +carol::swanctl --initiate --child ssh 2> /dev/null diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf index 4a5fc470f0..307c7e9cc7 100644 --- a/testing/tests/ikev2/protoport-dual/test.conf +++ b/testing/tests/ikev2/protoport-dual/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/protoport-range/description.txt b/testing/tests/ikev2/protoport-range/description.txt similarity index 99% rename from testing/tests/swanctl/protoport-range/description.txt rename to testing/tests/ikev2/protoport-range/description.txt index 7e64bcd72c..fc4ff696db 100644 --- a/testing/tests/swanctl/protoport-range/description.txt +++ b/testing/tests/ikev2/protoport-range/description.txt @@ -3,5 +3,6 @@ Using [<protocol>/<port>] selectors in the between the roadwarrior carol and the gateway moon are defined. The first CHILD_SA is restricted to ICMP request packets, the second covers ICMP reply packets and the third TCP-based FTP and SSH connections. +

The established tunnels are tested by carol by first pinging alice behind moon and then setting up an SSH session to the same client. diff --git a/testing/tests/swanctl/protoport-range/evaltest.dat b/testing/tests/ikev2/protoport-range/evaltest.dat similarity index 100% rename from testing/tests/swanctl/protoport-range/evaltest.dat rename to testing/tests/ikev2/protoport-range/evaltest.dat diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-range/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/protoport-range/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-range/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/protoport-range/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-range/posttest.dat similarity index 100% rename from testing/tests/swanctl/protoport-dual/posttest.dat rename to testing/tests/ikev2/protoport-range/posttest.dat diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/ikev2/protoport-range/pretest.dat similarity index 100% rename from testing/tests/swanctl/protoport-range/pretest.dat rename to testing/tests/ikev2/protoport-range/pretest.dat diff --git a/testing/tests/ikev2/protoport-range/test.conf b/testing/tests/ikev2/protoport-range/test.conf new file mode 100644 index 0000000000..307c7e9cc7 --- /dev/null +++ b/testing/tests/ikev2/protoport-range/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/protoport-route/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/protoport-route/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/reauth-early/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/reauth-early/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/reauth-late/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/reauth-late/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat deleted file mode 100644 index d7f7959f1f..0000000000 --- a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-revoked/test.conf b/testing/tests/ikev2/reauth-mbb-revoked/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/reauth-mbb-revoked/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/reauth-mbb/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat deleted file mode 100644 index e34f702774..0000000000 --- a/testing/tests/ikev2/reauth-mbb/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf deleted file mode 100644 index 4a5fc470f0..0000000000 --- a/testing/tests/ikev2/reauth-mbb/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/swanctl/redirect-active/description.txt b/testing/tests/ikev2/redirect-active/description.txt similarity index 100% rename from testing/tests/swanctl/redirect-active/description.txt rename to testing/tests/ikev2/redirect-active/description.txt diff --git a/testing/tests/swanctl/redirect-active/evaltest.dat b/testing/tests/ikev2/redirect-active/evaltest.dat similarity index 100% rename from testing/tests/swanctl/redirect-active/evaltest.dat rename to testing/tests/ikev2/redirect-active/evaltest.dat diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/iptables.rules rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/redirect-active/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/redirect-active/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/redirect-active/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/redirect-active/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/redirect-active/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/redirect-active/posttest.dat b/testing/tests/ikev2/redirect-active/posttest.dat similarity index 100% rename from testing/tests/swanctl/redirect-active/posttest.dat rename to testing/tests/ikev2/redirect-active/posttest.dat diff --git a/testing/tests/swanctl/redirect-active/pretest.dat b/testing/tests/ikev2/redirect-active/pretest.dat similarity index 100% rename from testing/tests/swanctl/redirect-active/pretest.dat rename to testing/tests/ikev2/redirect-active/pretest.dat diff --git a/testing/tests/swanctl/redirect-active/test.conf b/testing/tests/ikev2/redirect-active/test.conf similarity index 100% rename from testing/tests/swanctl/redirect-active/test.conf rename to testing/tests/ikev2/redirect-active/test.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/description.txt b/testing/tests/ikev2/rw-cert-ppk/description.txt similarity index 99% rename from testing/tests/swanctl/rw-cert-ppk/description.txt rename to testing/tests/ikev2/rw-cert-ppk/description.txt index 53e1033593..e57ba75401 100755 --- a/testing/tests/swanctl/rw-cert-ppk/description.txt +++ b/testing/tests/ikev2/rw-cert-ppk/description.txt @@ -5,6 +5,7 @@ derived key material. The PPK_ID used by dave is unknown to moon but since both peers don't enforce the use of a PPK they fall back to regular authentication by use of the authentication data provided in the NO_PPK_AUTH notify. +

Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping diff --git a/testing/tests/swanctl/rw-cert-ppk/evaltest.dat b/testing/tests/ikev2/rw-cert-ppk/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/evaltest.dat rename to testing/tests/ikev2/rw-cert-ppk/evaltest.dat diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-ppk/posttest.dat b/testing/tests/ikev2/rw-cert-ppk/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/posttest.dat rename to testing/tests/ikev2/rw-cert-ppk/posttest.dat diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/ikev2/rw-cert-ppk/pretest.dat similarity index 100% rename from testing/tests/swanctl/ip-pool/pretest.dat rename to testing/tests/ikev2/rw-cert-ppk/pretest.dat diff --git a/testing/tests/swanctl/rw-cert/test.conf b/testing/tests/ikev2/rw-cert-ppk/test.conf similarity index 100% rename from testing/tests/swanctl/rw-cert/test.conf rename to testing/tests/ikev2/rw-cert-ppk/test.conf diff --git a/testing/tests/swanctl/rw-cert-pss/description.txt b/testing/tests/ikev2/rw-cert-pss/description.txt similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/description.txt rename to testing/tests/ikev2/rw-cert-pss/description.txt diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/ikev2/rw-cert-pss/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/evaltest.dat rename to testing/tests/ikev2/rw-cert-pss/evaltest.dat diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert-pss/posttest.dat b/testing/tests/ikev2/rw-cert-pss/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/posttest.dat rename to testing/tests/ikev2/rw-cert-pss/posttest.dat diff --git a/testing/tests/swanctl/rw-cert-ppk/pretest.dat b/testing/tests/ikev2/rw-cert-pss/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-ppk/pretest.dat rename to testing/tests/ikev2/rw-cert-pss/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-cert-pss/test.conf old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-md5/test.conf rename to testing/tests/ikev2/rw-cert-pss/test.conf diff --git a/testing/tests/ikev2/rw-cert/description.txt b/testing/tests/ikev2/rw-cert/description.txt old mode 100644 new mode 100755 index 15b3822b5c..f190c07527 --- a/testing/tests/ikev2/rw-cert/description.txt +++ b/testing/tests/ikev2/rw-cert/description.txt @@ -1,6 +1,7 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat old mode 100644 new mode 100755 index 849d59a4e3..8a8a95f7ec --- a/testing/tests/ikev2/rw-cert/evaltest.dat +++ b/testing/tests/ikev2/rw-cert/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 8ecdb7183a..aeb1b75422 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - integrity_test = yes - crypto_test { - on_add = yes - } +charon-systemd { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 8ecdb7183a..aeb1b75422 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - integrity_test = yes - crypto_test { - on_add = yes - } +charon-systemd { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 8ecdb7183a..f12797e715 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,9 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes + crypto_test { on_add = yes } diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev2/rw-cert/posttest.dat +++ b/testing/tests/ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-cert/test.conf +++ b/testing/tests/ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt index 0135f078c6..d26485303e 100644 --- a/testing/tests/ikev2/rw-dnssec/description.txt +++ b/testing/tests/ikev2/rw-dnssec/description.txt @@ -3,8 +3,10 @@ The authentication is based on trustworthy public keys stored as IPSECKEY resource records in the Domain Name System (DNS) and protected by DNSSEC.

Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the -tunnels, carol and dave then ping the client alice behind the gateway -moon. The source IP addresses of the two pings will be the virtual IPs carol1 -and dave1, respectively. +by using the vips = 0.0.0.0 parameter. +

+Upon the successful establishment of the IPsec tunnel, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnels, carol and dave then ping the client alice +behind the gateway moon. The source IP addresses of the two pings will be the virtual IPs +10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat index ea7103a66d..73a2ff4b06 100644 --- a/testing/tests/ikev2/rw-dnssec/evaltest.dat +++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat @@ -1,19 +1,15 @@ carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 082b18a7f1..0000000000 --- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%any - leftsourceip=%config - leftid=carol.strongswan.org - leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE=" - leftauth=pubkey - leftfirewall=yes - right=moon.strongswan.org - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf index 29fa36133d..6339790cdd 100644 --- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -1,11 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve plugins { ipseckey { enable = yes } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } } } diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf deleted file mode 100644 index a68f981d11..0000000000 --- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%any - leftsourceip=%config - leftid=dave.strongswan.org - leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U=" - leftauth=pubkey - leftfirewall=yes - right=moon.strongswan.org - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf index 0d3c7b781c..6339790cdd 100644 --- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -1,11 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve plugins { ipseckey { enable = yes } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } } } diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3c5c64cdeb..0000000000 --- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=moon.strongswan.org - leftauth=pubkey - leftsigkey=moonPub.pem - leftfirewall=yes - right=%any - rightauth=pubkey - rightsourceip=10.3.0.0/24 - auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf index fa853d435f..617b812d57 100644 --- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac stroke kernel-netlink socket-default updown attr +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS @@ -10,5 +10,8 @@ charon { ipseckey { enable = yes } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } } } diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat index 17572e0bd7..3a662980f8 100644 --- a/testing/tests/ikev2/rw-dnssec/posttest.dat +++ b/testing/tests/ikev2/rw-dnssec/posttest.dat @@ -1,12 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::cd /etc/swanctl; rm dnssec.keys pubkey/* +carol::cd /etc/swanctl; rm dnssec.keys pubkey/* +dave::cd /etc/swanctl; rm dnssec.keys pubkey/* moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/resolv.conf -carol::rm /etc/resolv.conf -dave::rm /etc/resolv.conf -moon::rm /etc/ipsec.d/dnssec.keys -carol::rm /etc/ipsec.d/dnssec.keys -dave::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat index ee5bc7c721..94c1fc82c5 100644 --- a/testing/tests/ikev2/rw-dnssec/pretest.dat +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm x509/* x509ca/* +carol::cd /etc/swanctl; rm x509/* x509ca/* +dave::cd /etc/swanctl; rm x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf index 164b07ff97..a542d037ed 100644 --- a/testing/tests/ikev2/rw-dnssec/test.conf +++ b/testing/tests/ikev2/rw-dnssec/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt index 893a272303..c39829dd5b 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt @@ -4,7 +4,7 @@ an IKEv2 digital signature accompanied by an X.509 certificate.

Next carol uses the Authentication and Key Agreement (EAP-AKA) method of the Extensible Authentication Protocol to authenticate herself. -This EAP method used in UMTS, but here a secret defined in ipsec.secrets +This EAP method used in UMTS, but here a secret defined in swanctl.conf is used instead of a USIM/(R)UIM device.

In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index 25871f8930..a655543f9c 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -3,12 +3,8 @@ carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf index 364b8c0fc5..1582b2b01b 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf index 364b8c0fc5..1582b2b01b 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat index 1578796a1e..68075b0920 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt index da5b72735e..0138e35f5a 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt @@ -4,5 +4,5 @@ an IKEv2 digital signature accompanied by an X.509 certificate.

Next carol uses the Authentication and Key Agreement (EAP-AKA) method of the Extensible Authentication Protocol to authenticate herself. -This EAP method used in UMTS, but here a secret defined in ipsec.secrets -is used instead of a USIM/(R)UIM device. \ No newline at end of file +This EAP method used in UMTS, but here a secret defined in swanctl.conf +is used instead of a USIM/(R)UIM device. diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 795164c7f7..0d4f741977 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -2,12 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index a919d68ec2..4d4fc3583e 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - integrity_test = yes +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index a919d68ec2..4d4fc3583e 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - integrity_test = yes +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat index ee4673009a..68075b0920 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap-aka +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat index b31a468098..b529b4bcef 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat @@ -3,12 +3,8 @@ carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf index 81d2c8e74a..653488a665 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown plugins { eap-simaka-sql { diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf index 81d2c8e74a..653488a665 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown plugins { eap-simaka-sql { diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat index e3d7998a95..6356b88474 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db -moon::ipsec start -carol::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat deleted file mode 100644 index 046d4cfdc4..0000000000 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt index a1512ca9eb..42db2e199f 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt @@ -1,10 +1,10 @@ The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with an MD5 challenge and response protocol -(EAP-MD5) to authenticate against the gateway moon. -In addition to her IKEv2 identity carol@strongswan.org, roadwarrior +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +

+The gateway forwards all EAP messages to the RADIUS server alice. +In addition to her IKEv2 identitycarol@strongswan.org, roadwarrior carol uses the EAP identity carol. -The user password is kept in ipsec.secrets on the client carol -and the gateway forwards all EAP messages to the RADIUS server alice. diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 60a5a778dd..3080ec15a6 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -3,12 +3,8 @@ moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf index e69de29bb2..23cba8d11b 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default index 1dc69d90dc..2bbe1d7300 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -8,6 +8,7 @@ listen { authorize { preprocess + suffix eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf index 783587b556..23cba8d11b 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -1,4 +1,4 @@ -realm LOCAL { +realm strongswan.org { type = radius authhost = LOCAL accthost = LOCAL diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default index a67a5dcb42..dd0825858a 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,4 +1,5 @@ authorize { + suffix eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf index 0250ce3b12..d2cc789b3f 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown } diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf index 3a8d5c20c2..fa363c3455 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown plugins { eap-radius { diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat index 4361417fd1..4b05d1f78c 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index 012323f8f4..193f9e9c8c 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -1,8 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* alice::freeradius -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf index eb1e15dd25..0d9e9f3d43 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/description.txt diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/evaltest.dat diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/posttest.dat diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/test.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/test.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-id-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt rename to testing/tests/ikev2/rw-eap-md5-id-rsa/description.txt diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa/evaltest.dat diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/posttest.dat similarity index 100% rename from testing/tests/swanctl/protoport-range/posttest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa/posttest.dat diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-rsa/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat rename to testing/tests/ikev2/rw-eap-md5-id-rsa/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-id-rsa/test.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf rename to testing/tests/ikev2/rw-eap-md5-id-rsa/test.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-radius/description.txt index 12bdc9fdde..f0f241dc1f 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-md5-radius/description.txt @@ -1,8 +1,7 @@ The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with an MD5 challenge and response protocol -(EAP-MD5) to authenticate against the gateway moon. -The user password is kept in ipsec.secrets on the client carol -and the gateway forwards all EAP messages to the RADIUS server alice. +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +The gateway forwards all EAP messages to the RADIUS server alice. \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index f3e5aa0a1e..09a78be834 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -2,10 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf index f399dfbf1e..e57629f2e4 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown } diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf index 6d37fbb9d6..bf614014d4 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -1,11 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat index 4361417fd1..4b05d1f78c 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index 012323f8f4..193f9e9c8c 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -1,8 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* alice::freeradius -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf index eb1e15dd25..0d9e9f3d43 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat index d4617bf423..c0026af4ff 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -1,12 +1,10 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf index f399dfbf1e..e57629f2e4 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown } diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf index f399dfbf1e..e57629f2e4 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown } diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat index 1578796a1e..68075b0920 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index e72426b29a..a1c2d4e881 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,14 +1,11 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES -moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol +moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf index 51eaacbe42..d9210aeb56 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown } diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf index 51eaacbe42..d9210aeb56 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown } diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat index 1578796a1e..68075b0920 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat index c7884ee0e4..247aabe179 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat @@ -10,14 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO -moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf index 80cd79ed77..56df2de453 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -1,6 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf index 80cd79ed77..56df2de453 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -1,6 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf index 6a81b4715e..347e7f7b2b 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -1,13 +1,22 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-peap { phase2_method = md5 phase2_piggyback = yes - } - } + } + } } diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat index 1865a1c60e..e5c82ef20d 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat index dccf85419d..69f83f67ae 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -1,11 +1,13 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf index f292988506..1227b9d1c0 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat index 6ba3e10e90..1093e51ada 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat @@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf index d3f333d543..b3fdc5d70a 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf index d3f333d543..b3fdc5d70a 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf index b694c60712..c7023a6838 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -1,11 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-peap { phase2_method = mschapv2 - } - } + } + } } diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat index 1865a1c60e..e5c82ef20d 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat index dccf85419d..69f83f67ae 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -1,11 +1,13 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf index f292988506..1227b9d1c0 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-peap-radius/description.txt b/testing/tests/ikev2/rw-eap-peap-radius/description.txt index 89db03a385..0040682262 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-peap-radius/description.txt @@ -1,8 +1,9 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-PEAP tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on EAP-MD5. -carol presents the correct MD5 password and succeeds whereas dave chooses the -wrong password and fails. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-PEAP tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat index edfb7cddda..291e249da9 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf index c8c3f85627..cb7743f825 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown } diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf index c8c3f85627..cb7743f825 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown } diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf index 9681551467..bf614014d4 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -1,12 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat index a6619d02bf..a3aff64c3d 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index c98e8ed53a..6363fcb590 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -1,12 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf index 20d5863094..0e5512b655 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index e7d9786349..038a2c1e16 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -3,10 +3,8 @@ moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf index 51614f7163..11ae80c1ea 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf index 3a8d5c20c2..fa363c3455 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown plugins { eap-radius { diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat index 4361417fd1..4b05d1f78c 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index 53aa83f0cb..18411263ec 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -1,9 +1,10 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* carol::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf index eb1e15dd25..0d9e9f3d43 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat index 8502d7a72e..3d3359775d 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat @@ -2,14 +2,12 @@ carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default index 8d68b81fc2..51b64a74b3 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,4 +1,7 @@ authorize { + preprocess + chap + mschap files suffix update reply { @@ -15,9 +18,24 @@ authorize { eap { ok = return } + unix + files + expiration + logintime + pap } authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix eap } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf index 195893a188..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf index 195893a188..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf index 6725cf8303..bf614014d4 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -1,11 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat index a6619d02bf..a3aff64c3d 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 04b824def8..867c7248c1 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -1,20 +1,16 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf index 29bfaa78c9..93f23f1d6e 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index 0c9c2b4a7e..476e4e1fc6 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -2,14 +2,12 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf index e78434f8f8..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf index e78434f8f8..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf index 6d37fbb9d6..bf614014d4 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -1,11 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat index a6619d02bf..a3aff64c3d 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index e171997bc3..867c7248c1 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -1,14 +1,16 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf index 42d23a50bb..93f23f1d6e 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat index 17e3157f87..1e967896e9 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat @@ -1,10 +1,9 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index e652c52d7d..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - integrity_test = yes +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown } diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index 0015835136..bcd8ef0e33 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown - - integrity_test = yes +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random } +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat index 71cab1fbf0..68075b0920 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat @@ -1,9 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::cat /etc/ipsec.d/triplets.dat -carol::cat /etc/ipsec.d/triplets.dat -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap-sim +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf index e093d43d83..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat index 100919a059..c9f3462930 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat @@ -3,8 +3,8 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index a4e10a0318..0b9b399519 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown multiple_authentication=no syslog { diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index f7a382d9e0..69bff64c6f 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown multiple_authentication=no syslog { diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat index 046d4cfdc4..af9cda6caf 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat index 1578796a1e..1e8e27fdf4 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf index 4a5fc470f0..97b89cb611 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c.png" # Guest instances on which tcpdump is to be started # @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-tls-radius/description.txt b/testing/tests/ikev2/rw-eap-tls-radius/description.txt index 842a88c427..d635ae33ef 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-tls-radius/description.txt @@ -1,5 +1,7 @@ The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses a mutual EAP-TLS authentication based -on X.509 certificates with the remote AAA RADIUS server alice. +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses a mutual EAP-TLS authentication based +on X.509 certificates. The gateway forwards all EAP messages to the +AAA RADIUS server alice. diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat index 36c0544193..46d88143c4 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat @@ -2,8 +2,8 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, C carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index b4196402dd..3b1e09bced 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -1,8 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown + + multiple_authentication = no syslog { daemon { tls = 2 diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf index 783b4c8444..9945befdff 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf @@ -1,12 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat index 4361417fd1..4b05d1f78c 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index 012323f8f4..9b3942d2e9 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::freeradius -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf index eb1e15dd25..0d9e9f3d43 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/description.txt similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/description.txt diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert/evaltest.dat rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert/posttest.dat rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/posttest.dat diff --git a/testing/tests/swanctl/rw-cert-pss/pretest.dat b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-cert-pss/pretest.dat rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-tls-sha3-rsa/test.conf old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf rename to testing/tests/ikev2/rw-eap-tls-sha3-rsa/test.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/description.txt b/testing/tests/ikev2/rw-eap-ttls-only/description.txt index 3d4c3ab873..19c00531e4 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/description.txt +++ b/testing/tests/ikev2/rw-eap-ttls-only/description.txt @@ -3,7 +3,7 @@ The strong mutual authentication is based on EAP-TTLS only (without a sep authentication) with the gateway being authenticated by a server certificate during the EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client authentication based on EAP-MD5 (phase2 of EAP-TTLS). -

+

With the default setting charon.plugins.eap-ttls.phase2_piggyback = no the server moon passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by sending a tunneled orphan EAP Identity response upon the reception of the server's TLS diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat index a4b7d58121..46d6be42a7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat @@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf index 0637de363c..c2c9aa5164 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no syslog { daemon { @@ -9,3 +14,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf index 0637de363c..c2c9aa5164 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no syslog { daemon { @@ -9,3 +14,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf index dd1524c64d..8633346d11 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -1,9 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no syslog { daemon { tls = 2 @@ -12,6 +16,6 @@ charon { plugins { eap-ttls { phase2_method = md5 - } - } + } + } } diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat index 1865a1c60e..e5c82ef20d 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat index dccf85419d..69f83f67ae 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat @@ -1,11 +1,13 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf index f292988506..1227b9d1c0 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt index 299106b32e..479350c2fa 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt @@ -1,8 +1,9 @@ The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -carol presents the correct MD5 password and succeeds whereas dave chooses the -wrong password and fails. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-TTLS tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index 4be616469d..df4f0d5508 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -10,12 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed: moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf index 443332acc2..85d90ccc1c 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown } diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf index 443332acc2..85d90ccc1c 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown } diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5cb..0000000000 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf index 9681551467..bf614014d4 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -1,12 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown plugins { eap-radius { - secret = gv6URkSs + secret = gv6URkSs server = PH_IP_ALICE } } diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index a6619d02bf..a3aff64c3d 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index c98e8ed53a..6363fcb590 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,12 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf index 20d5863094..0e5512b655 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-ed25519-certpol/description.txt b/testing/tests/ikev2/rw-ed25519-certpol/description.txt similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/description.txt rename to testing/tests/ikev2/rw-ed25519-certpol/description.txt diff --git a/testing/tests/swanctl/rw-ed25519-certpol/evaltest.dat b/testing/tests/ikev2/rw-ed25519-certpol/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/evaltest.dat rename to testing/tests/ikev2/rw-ed25519-certpol/evaltest.dat diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-ed25519-certpol/posttest.dat b/testing/tests/ikev2/rw-ed25519-certpol/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/posttest.dat rename to testing/tests/ikev2/rw-ed25519-certpol/posttest.dat diff --git a/testing/tests/swanctl/rw-ed25519-certpol/pretest.dat b/testing/tests/ikev2/rw-ed25519-certpol/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/pretest.dat rename to testing/tests/ikev2/rw-ed25519-certpol/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf b/testing/tests/ikev2/rw-ed25519-certpol/test.conf similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf rename to testing/tests/ikev2/rw-ed25519-certpol/test.conf diff --git a/testing/tests/ikev2/rw-hash-and-url/description.txt b/testing/tests/ikev2/rw-hash-and-url/description.txt old mode 100644 new mode 100755 index 5e748d75ea..6af7a39ae2 --- a/testing/tests/ikev2/rw-hash-and-url/description.txt +++ b/testing/tests/ikev2/rw-hash-and-url/description.txt @@ -1,10 +1,6 @@ The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Instead of the certificates themselves, "Hash and URL" certificate payloads -are transferred and the certificates are fetched via http from web server winnetou. -

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. -

diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat old mode 100644 new mode 100755 index 3c0aaf0022..a7f04b53a1 --- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat @@ -2,17 +2,13 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf deleted file mode 100644 index acf5789d8e..0000000000 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://winnetou.strongswan.org/certs/ - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9c9714a33c..90f42a1c5e --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 1e14395600..0000000000 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://winnetou.strongswan.org/certs/ - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 3a52f0db69..90f42a1c5e --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf deleted file mode 100644 index cd626a7200..0000000000 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://winnetou.strongswan.org/certs/ - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 3a52f0db69..90f42a1c5e --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..3d37a86e52 --- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-hash-and-url/test.conf +++ b/testing/tests/ikev2/rw-hash-and-url/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt old mode 100644 new mode 100755 index 4780041626..d8ad8b7f98 --- a/testing/tests/ikev2/rw-initiator-only/description.txt +++ b/testing/tests/ikev2/rw-initiator-only/description.txt @@ -4,7 +4,7 @@ she ignores the repeated IKE requests sent by dave.

After the failed connection attempt by dave, roadwarrior carol sets up a connection to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, carol pings the client alice behind -the gateway moon. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, carol pings the client alice +behind the gateway moon. diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat old mode 100644 new mode 100755 index c5dc4a0a69..811b8a8ec3 --- a/testing/tests/ikev2/rw-initiator-only/evaltest.dat +++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat @@ -1,8 +1,6 @@ dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf deleted file mode 100644 index dd2ceea604..0000000000 --- a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 54b68df4f4..7bb3ff7263 --- a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici initiator_only = yes } diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f1c4ba6e87 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b417977c95..0000000000 --- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..402d773aff --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + peer { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.100 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = carol@strongswan.org + } + children { + peer { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf deleted file mode 100644 index acc2ef7582..0000000000 --- a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 93f4345989..ad4c18e437 --- a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4ba02ad6c6 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..e5c82ef20d --- a/testing/tests/ikev2/rw-initiator-only/posttest.dat +++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat old mode 100644 new mode 100755 index 290f57e69b..71675c49e4 --- a/testing/tests/ikev2/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw dave::expect-connection peer -dave::ipsec up peer +dave::swanctl --initiate --child peer 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-initiator-only/test.conf +++ b/testing/tests/ikev2/rw-initiator-only/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-newhope-bliss/description.txt b/testing/tests/ikev2/rw-newhope-bliss/description.txt old mode 100644 new mode 100755 index eb7678496f..0a7f2489cf --- a/testing/tests/ikev2/rw-newhope-bliss/description.txt +++ b/testing/tests/ikev2/rw-newhope-bliss/description.txt @@ -4,9 +4,8 @@ with a cryptographical strength of 128 bits. Authentication is based on the BLIS algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for carol, dave and moon, respectively.

-Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously increasing order.

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass diff --git a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat old mode 100644 new mode 100755 index a2df0a3c04..be3b867a3b --- a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat +++ b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat @@ -1,26 +1,10 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES -moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES -moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6f561ab509..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-newhope128! - esp=aes256-sha256! - authby=pubkey - fragmentation=yes - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.der - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index c2225646d5..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS carolKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 1d9f6e2359..16dcf16a11 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf deleted file mode 100644 index caf99ddf0c..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-newhope128! - esp=aes256-sha256! - authby=pubkey - fragmentation=yes - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.der - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index fe26432049..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS daveKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 1d9f6e2359..475705026e --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0ec0ac826a..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-newhope128! - esp=aes256-sha256! - authby=pubkey - fragmentation=yes - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.der - leftauth=bliss-sha512 - leftid=moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index b4a9ee68dc..0000000000 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS moonKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 1d9f6e2359..16dcf16a11 --- a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat old mode 100644 new mode 100755 index 9ba8c5f554..eb21008563 --- a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat +++ b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat @@ -1,9 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der -carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der -dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat old mode 100644 new mode 100755 index 058b3c33df..819964b7df --- a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat +++ b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem -dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem +dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-newhope-bliss/test.conf b/testing/tests/ikev2/rw-newhope-bliss/test.conf old mode 100644 new mode 100755 index 164b07ff97..1227b9d1c0 --- a/testing/tests/ikev2/rw-newhope-bliss/test.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/test.conf @@ -13,9 +13,13 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt index b81fdb7cf6..82ebd89ad0 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/description.txt +++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt @@ -4,12 +4,11 @@ The key exchange is based on NTRU encryption with a cryptographical strength of algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for carol, dave and moon, respectively.

-Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously increasing order.

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client alice behind the gateway moon. The source IP addresses of the two pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat index ebb738cae4..937425fabf 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat @@ -1,21 +1,13 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES -moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 647a47f2f0..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128! - esp=aes128-sha256! - authby=pubkey - fragmentation=yes - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.der - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index c2225646d5..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS carolKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index 47f9aa05fa..0a86ed8130 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf deleted file mode 100644 index e7786040cc..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ntru192! - esp=aes192-sha384! - authby=pubkey - fragmentation=yes - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.der - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index fe26432049..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS daveKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index 47f9aa05fa..0a86ed8130 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e5c2bf8b63..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128,aes192-sha384-ntru192! - esp=aes128-sha256,aes192-sha384! - authby=pubkey - fragmentation=yes - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.der - leftauth=bliss-sha512 - leftid=moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index b4a9ee68dc..0000000000 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: BLISS moonKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index 47f9aa05fa..0a86ed8130 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat index 9ba8c5f554..b117208426 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat @@ -1,9 +1,9 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der -carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der -dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +moon::cd /etc/swanctl; rm bliss/* x509/moonCert.der x509ca/strongswan_blissCert.der +carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der +dave::cd /etc/swanctl; rm bliss/* x509/daveCert.der x509ca/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat index 058b3c33df..819964b7df 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem -dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem +dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf index 164b07ff97..a542d037ed 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/test.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3e6d33ad9d..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720 diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 35233ed325..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 3c355de51e..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8 diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 35233ed325..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index a9e89c038b..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720 - -moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8 diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 35233ed325..0000000000 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2/rw-pkcs8/description.txt b/testing/tests/ikev2/rw-pkcs8/description.txt old mode 100644 new mode 100755 index 84dd41480f..121f5dfa05 --- a/testing/tests/ikev2/rw-pkcs8/description.txt +++ b/testing/tests/ikev2/rw-pkcs8/description.txt @@ -4,7 +4,7 @@ and matching RSA private keys stored in the PKCS#8 format. moon's is unencrypted, carol's key is encrypted with the default PKCS#5 v1.5 DES algorithm and dave's key with the PKCS#5 v2.0 AES-128 algorithm.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat old mode 100644 new mode 100755 index 849d59a4e3..8a8a95f7ec --- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat +++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e72f78742f..0000000000 --- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 6a2aea8118..0000000000 --- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 680785b238..7415f931cb --- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des md5 sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b0b603b00a --- /dev/null +++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + pkcs8-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 65c9819bb2..0000000000 --- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ff6a247f06..0000000000 --- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd" diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 6fab7121c1..7415f931cb --- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes des sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c57c6baf82 --- /dev/null +++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + pkcs8-dave { + file = daveKey.pem + secret = "OJlNZBx+80dLh4wC6fw5LmBd" + } +} diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 1ee7513602..0000000000 --- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index c58fdbcd75..7415f931cb --- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf similarity index 95% rename from testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf index de225022bb..b938f0df52 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/swanctl.conf @@ -2,7 +2,6 @@ connections { rw { local_addrs = 192.168.0.1 - pools = big_pool local { auth = pubkey diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..0baa831d55 --- a/testing/tests/ikev2/rw-pkcs8/posttest.dat +++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat @@ -1,6 +1,9 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::rm /etc/swanctl/pkcs8/* +dave::rm /etc/swanctl/pkcs8/* +moon::rm /etc/swanctl/pkcs8/* moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..85426cbb49 --- a/testing/tests/ikev2/rw-pkcs8/pretest.dat +++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-pkcs8/test.conf +++ b/testing/tests/ikev2/rw-pkcs8/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt old mode 100644 new mode 100755 index 47f6968ae7..237e2ce42a --- a/testing/tests/ikev2/rw-psk-fqdn/description.txt +++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt @@ -1,6 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on distinct pre-shared keys -and Fully Qualified Domain Names. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both +and Fully Qualified Domain Names. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat old mode 100644 new mode 100755 index a5aa06be28..8a8a95f7ec --- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat @@ -1,16 +1,10 @@ -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat old mode 100644 new mode 100755 index ee5bc7c721..12ad60eb8a --- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-psk-fqdn/test.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt old mode 100644 new mode 100755 index b4aaa6a6a7..81c25e62ad --- a/testing/tests/ikev2/rw-psk-ipv4/description.txt +++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt @@ -1,6 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on distinct pre-shared keys -and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both +and IPv4 addresses. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat old mode 100644 new mode 100755 index 0c8c311ae8..11a3f6b069 --- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..dcef959eff --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index 9555143918..0325fe9a27 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat old mode 100644 new mode 100755 index 1865a1c60e..eb21008563 --- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat old mode 100644 new mode 100755 index ee5bc7c721..12ad60eb8a --- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat @@ -1,14 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/rw-psk-ipv4/test.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-psk-ppk/description.txt b/testing/tests/ikev2/rw-psk-ppk/description.txt similarity index 73% rename from testing/tests/swanctl/rw-psk-ppk/description.txt rename to testing/tests/ikev2/rw-psk-ppk/description.txt index b9535b95c2..35ce6781d2 100755 --- a/testing/tests/swanctl/rw-psk-ppk/description.txt +++ b/testing/tests/ikev2/rw-psk-ppk/description.txt @@ -5,7 +5,8 @@ that's also mixed into the derived key material. The PPK_ID used by dave unknown to moon but since both peers don't enforce the use of a PPK they fall back to regular authentication by use of the authentication data provided in the NO_PPK_AUTH notify. -Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts iptables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-psk-ppk/evaltest.dat b/testing/tests/ikev2/rw-psk-ppk/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-psk-ppk/evaltest.dat rename to testing/tests/ikev2/rw-psk-ppk/evaltest.dat diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/ikev2/rw-psk-ppk/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat rename to testing/tests/ikev2/rw-psk-ppk/posttest.dat diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-ppk/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-psk-fqdn/pretest.dat rename to testing/tests/ikev2/rw-psk-ppk/pretest.dat diff --git a/testing/tests/swanctl/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-psk-ppk/test.conf old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-eap-ttls-only/test.conf rename to testing/tests/ikev2/rw-psk-ppk/test.conf diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 65c9819bb2..0000000000 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 47e31ca218..0000000000 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index f6c1a22efe..0000000000 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/swanctl/rw-pubkey-anon/description.txt b/testing/tests/ikev2/rw-pubkey-anon/description.txt similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/description.txt rename to testing/tests/ikev2/rw-pubkey-anon/description.txt diff --git a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat b/testing/tests/ikev2/rw-pubkey-anon/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/evaltest.dat rename to testing/tests/ikev2/rw-pubkey-anon/evaltest.dat diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-pubkey-anon/posttest.dat old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-dnssec/posttest.dat rename to testing/tests/ikev2/rw-pubkey-anon/posttest.dat diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-pubkey-anon/pretest.dat old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/swanctl/rw-dnssec/pretest.dat rename to testing/tests/ikev2/rw-pubkey-anon/pretest.dat diff --git a/testing/tests/swanctl/rw-ed25519-certpol/test.conf b/testing/tests/ikev2/rw-pubkey-anon/test.conf similarity index 100% rename from testing/tests/swanctl/rw-ed25519-certpol/test.conf rename to testing/tests/ikev2/rw-pubkey-anon/test.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/description.txt b/testing/tests/ikev2/rw-pubkey-keyid/description.txt similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/description.txt rename to testing/tests/ikev2/rw-pubkey-keyid/description.txt diff --git a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat b/testing/tests/ikev2/rw-pubkey-keyid/evaltest.dat similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat rename to testing/tests/ikev2/rw-pubkey-keyid/evaltest.dat diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf rename to testing/tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat similarity index 100% rename from testing/tests/swanctl/rw-pubkey-anon/posttest.dat rename to testing/tests/ikev2/rw-pubkey-keyid/posttest.dat diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/ikev2/rw-pubkey-keyid/pretest.dat similarity index 100% rename from testing/tests/swanctl/rw-pubkey-keyid/pretest.dat rename to testing/tests/ikev2/rw-pubkey-keyid/pretest.dat diff --git a/testing/tests/swanctl/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-pubkey-keyid/test.conf similarity index 100% rename from testing/tests/swanctl/rw-hash-and-url/test.conf rename to testing/tests/ikev2/rw-pubkey-keyid/test.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5cb..0000000000 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5cb..0000000000 --- a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd61..0000000000 --- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c04..0000000000 --- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/swanctl/manual-prio/description.txt b/testing/tests/ikev2/shunt-manual-prio/description.txt similarity index 100% rename from testing/tests/swanctl/manual-prio/description.txt rename to testing/tests/ikev2/shunt-manual-prio/description.txt diff --git a/testing/tests/swanctl/manual-prio/evaltest.dat b/testing/tests/ikev2/shunt-manual-prio/evaltest.dat similarity index 100% rename from testing/tests/swanctl/manual-prio/evaltest.dat rename to testing/tests/ikev2/shunt-manual-prio/evaltest.dat diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/swanctl/manual-prio/posttest.dat b/testing/tests/ikev2/shunt-manual-prio/posttest.dat similarity index 100% rename from testing/tests/swanctl/manual-prio/posttest.dat rename to testing/tests/ikev2/shunt-manual-prio/posttest.dat diff --git a/testing/tests/swanctl/manual-prio/pretest.dat b/testing/tests/ikev2/shunt-manual-prio/pretest.dat similarity index 100% rename from testing/tests/swanctl/manual-prio/pretest.dat rename to testing/tests/ikev2/shunt-manual-prio/pretest.dat diff --git a/testing/tests/swanctl/rw-psk-ikev1/test.conf b/testing/tests/ikev2/shunt-manual-prio/test.conf similarity index 100% rename from testing/tests/swanctl/rw-psk-ikev1/test.conf rename to testing/tests/ikev2/shunt-manual-prio/test.conf diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt index 7d9ebfd90a..b95669dadf 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt +++ b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt @@ -1,7 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net -shunt policy with type=pass. +shunt policy with mode = pass.

In order to test the tunnel, the NAT-ed hosts alice and venus ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat index 67014c5eeb..dd0d8ec080 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat +++ b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat @@ -1,12 +1,14 @@ -alice::ipsec status 2> /dev/null::local-net.*PASS::YES -venus::ipsec status 2> /dev/null::local-net.*PASS::YES -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES +venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES +sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES -alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 4c6e51df7c..0000000000 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%any - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftsourceip=%config - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add - -conn local-net - leftsubnet=10.1.0.0/16 - rightsubnet=10.1.0.0/16 - authby=never - type=pass - auto=route diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index 9d07c88e40..bf799a29b6 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 90a8ae26e9..0000000000 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - leftsubnet=0.0.0.0/0 - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index 93f4345989..91e32f7ba4 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf deleted file mode 100644 index ade6415032..0000000000 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%any - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftsourceip=%config - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add - -conn local-net - leftsubnet=10.1.0.0/16 - rightsubnet=10.1.0.0/16 - authby=never - type=pass - auto=route diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index 9d07c88e40..bf799a29b6 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat index 1ff2c06444..a2ee681804 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +alice::systemctl stop strongswan +venus::systemctl stop strongswan +sun::systemctl stop strongswan sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat index b96aa0ce78..928a954a87 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat @@ -1,11 +1,11 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::ipsec start -venus::ipsec start -sun::ipsec start +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan +sun::expect-connection nat-t alice::expect-connection nat-t venus::expect-connection nat-t -sun::expect-connection nat-t -alice::ipsec up nat-t -venus::ipsec up nat-t \ No newline at end of file +alice::swanctl --initiate --child nat-t 2> /dev/null +venus::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf index bd82f03ad6..34b0ba1655 100644 --- a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf +++ b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/strong-keys-certs/description.txt b/testing/tests/ikev2/strong-keys-certs/description.txt old mode 100644 new mode 100755 index 0847159f47..472bc0de8c --- a/testing/tests/ikev2/strong-keys-certs/description.txt +++ b/testing/tests/ikev2/strong-keys-certs/description.txt @@ -1,7 +1,11 @@ -This scenario is derived from ikev2/rw-cert. The gateway moon uses a 3072 bit RSA private key protected by AES-128 encryption whereas the roadwarriors carol and dave have an AES-192 and AES-256 envelope, respectively. The X.509 certificate of the gateway moon uses a SHA-224 hash in its signature whereas the certificates of the roadwarriors carol and dave use SHA-384 and SHA-512, respectively. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat old mode 100644 new mode 100755 index 849d59a4e3..8a8a95f7ec --- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat +++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 732966f201..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert-sha384.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4c9a601ca1..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey-aes192.pem "ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA" diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..8f8fbdfa76 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..558eaca3ac --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert-sha384.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey-aes192.pem + secret = "ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA" + } +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 13636bc1ea..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert-sha512.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index b4b1c6249f..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey-aes256.pem "MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v" diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..aeb1b75422 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..54de49ef00 --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert-sha512.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-dave { + file = daveKey-aes256.pem + secret = "MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v" + } +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f365554450..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert-sha224.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 9d298e1833..0000000000 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey-aes128.pem "gOQHdrSWeFuiZtYPetWuyzHW" diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 index af5fa19ef1..8f8fbdfa76 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..31c6161ac6 --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert-sha224.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-moon { + file = moonKey-aes128.pem + secret = "gOQHdrSWeFuiZtYPetWuyzHW" + } +} diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat old mode 100644 new mode 100755 index 3fd6a690e7..68c8bce482 --- a/testing/tests/ikev2/strong-keys-certs/posttest.dat +++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat @@ -1,13 +1,9 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::cd /etc/swanctl; rm rsa/* x509/* +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/private/* -dave::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/certs/* -dave::rm /etc/ipsec.d/certs/* - diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat old mode 100644 new mode 100755 index e87a8ee479..a7f48db6b9 --- a/testing/tests/ikev2/strong-keys-certs/pretest.dat +++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem +carol::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem +dave::cd /etc/swanctl; rm rsa/daveKey.pem x509/daveCert.pem +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf old mode 100644 new mode 100755 index f292988506..1227b9d1c0 --- a/testing/tests/ikev2/strong-keys-certs/test.conf +++ b/testing/tests/ikev2/strong-keys-certs/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index f1b252c4bc..63ccd5dcc7 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,11 +1,10 @@ moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.20/32::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 9ec202e3d4..0000000000 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - uniqueids=no - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - leftcert=carolCert.pem - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - leftcert=carolCert-002.pem - rightsubnet=PH_IP_VENUS/32 - auto=add - diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 2181f94cee..0000000000 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" - -: RSA carolKey-002.pem diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf index af5fa19ef1..b05ed2b339 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..eccc27bd08 --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,46 @@ +connections { + + alice { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + } + } + version = 2 + } + + venus { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert-002.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + venus { + remote_ts = 10.1.0.20/32 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d8f1443ac8..0000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - uniqueids=no - strictcrlpolicy=yes - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightid=carol@strongswan.org - keyexchange=ikev2 - -conn alice - leftsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - auto=add - diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf index 93f4345989..b05ed2b339 100644 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici } diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6b3d3d7d03 --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + alice { + local_ts = 10.1.0.10/32 + } + venus { + local_ts = 10.1.0.20/32 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat index eae8c27d4b..0877f6b8c4 100644 --- a/testing/tests/ikev2/two-certs/posttest.dat +++ b/testing/tests/ikev2/two-certs/posttest.dat @@ -1,6 +1,3 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* +carol::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm rsa/* x509/* \ No newline at end of file diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index ead4b6bb39..34393c7243 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -1,10 +1,7 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection alice -moon::expect-connection venus +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw carol::expect-connection alice +carol::swanctl --initiate --child alice 2> /dev/null carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus +carol::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf index 3f6afa02ea..65dc353745 100644 --- a/testing/tests/ikev2/two-certs/test.conf +++ b/testing/tests/ikev2/two-certs/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice venus moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-v-m-c-w-d.png" +DIAGRAM="m-c-w.png" # Guest instances on which tcpdump is to be started # @@ -19,3 +19,6 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef1..0000000000 --- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 7a64dce303..0000000000 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf deleted file mode 100644 index 9bb88d79f0..0000000000 --- a/testing/tests/ikev2/wildcards/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/config-payload/description.txt b/testing/tests/swanctl/config-payload/description.txt deleted file mode 100755 index 3e68a77981..0000000000 --- a/testing/tests/swanctl/config-payload/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload. -moon explicitly assigns a specific virtual IP to each of the two clients. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnels, carol and dave then ping the client -alice behind the gateway moon. The source IP addresses of the two pings will be the -virtual IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat deleted file mode 100755 index 1cc8d82402..0000000000 --- a/testing/tests/swanctl/config-payload/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES -moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES -alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES -alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat deleted file mode 100755 index 28f600c9d5..0000000000 --- a/testing/tests/swanctl/config-payload/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cat /etc/swanctl/swanctl_base.conf -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-carol -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/crl-to-cache/description.txt b/testing/tests/swanctl/crl-to-cache/description.txt deleted file mode 100644 index 0e6f1cbd69..0000000000 --- a/testing/tests/swanctl/crl-to-cache/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -By setting cache_crls = yes in /etc/strongswan.conf, a copy of -both the base CRL and the latest delta CRL fetched via http from -the web server winnetou is saved locally in the directory -/etc/swanctl/x509crl on both the roadwarrior carol and the -gateway moon when the IPsec connection is set up. -The subjectKeyIdentifier of the issuing CA plus the suffixes -.crl and _delta.crl are used as unique filename for the -cached base CRL and delta CRL, respectively. diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat deleted file mode 100644 index 91e34578f8..0000000000 --- a/testing/tests/swanctl/crl-to-cache/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO -moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES -moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES -carol::cat /var/log/daemon.log::certificate was revoked::YES -carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 48e34abba3..0000000000 --- a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - - cache_crls = yes -} diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 48e34abba3..0000000000 --- a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - - cache_crls = yes -} diff --git a/testing/tests/swanctl/dhcp-dynamic/description.txt b/testing/tests/swanctl/dhcp-dynamic/description.txt deleted file mode 100644 index bef5423714..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the vips=0.0.0.0 -parameter. The dhcp plugin on gateway moon then requests an IP address and DNS server -information from DHCP server venus using the DHCP protocol. The IP addresses are assigned dynamically -by venus from the pool 10.1.0.50..10.1.0.60 so that carol and dave become full members -of the subnet 10.1.0.0/16 hidden behind gateway moon. And this thanks to the farp plugin -through which moon acts as a proxy for ARP requests e.g. from alice who wants to ping -carol and dave. diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat deleted file mode 100644 index aa62bcec46..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES -alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf deleted file mode 100755 index 9932df379b..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici -} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf deleted file mode 100755 index 9932df379b..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici -} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules deleted file mode 100644 index 2d9a466b0a..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,39 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow bootpc and bootps --A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT --A INPUT -p udp --sport bootps --dport bootps -j ACCEPT - -# allow broadcasts from eth1 --A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# log dropped packets --A INPUT -j LOG --log-prefix " IN: " --A OUTPUT -j LOG --log-prefix " OUT: " - -COMMIT diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf deleted file mode 100755 index c00d3dc4be..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp - - plugins { - dhcp { - server = 10.1.255.255 - } - } -} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf deleted file mode 100644 index 7a178505f0..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf +++ /dev/null @@ -1,14 +0,0 @@ -# dhcpd configuration file - -ddns-update-style none; - -subnet 10.1.0.0 netmask 255.255.0.0 { - option domain-name "strongswan.org"; - option domain-name-servers PH_IP_VENUS; - option netbios-name-servers PH_IP_ALICE; - option routers PH_IP_MOON1; - option broadcast-address 10.1.255.255; - next-server PH_IP_VENUS; - - range 10.1.0.50 10.1.0.60; -} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf deleted file mode 100644 index ec8c945a7f..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf +++ /dev/null @@ -1,7 +0,0 @@ -interface=eth0 -dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255 -dhcp-option=option:router,PH_IP_MOON1 -dhcp-option=option:dns-server,PH_IP_VENUS -dhcp-option=option:netbios-ns,PH_IP_ALICE -dhcp-option=option:domain-name,strongswan.org -log-dhcp diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat deleted file mode 100644 index d258f1e384..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat +++ /dev/null @@ -1,13 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -venus::cat /var/lib/dhcp/dhcpd.leases -venus::service isc-dhcp-server stop 2> /dev/null -venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush -alice::arp -d 10.1.0.50 -alice::arp -d 10.1.0.51 diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat deleted file mode 100644 index d8c1191cd4..0000000000 --- a/testing/tests/swanctl/dhcp-dynamic/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -venus::cat /etc/dhcp/dhcpd.conf -venus::service isc-dhcp-server start 2> /dev/null -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat deleted file mode 100755 index 29cd8bfbd2..0000000000 --- a/testing/tests/swanctl/host2host-cert/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ - -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES -moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat deleted file mode 100755 index 683269aadb..0000000000 --- a/testing/tests/swanctl/host2host-cert/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike host-host 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat deleted file mode 100755 index 5cb154074f..0000000000 --- a/testing/tests/swanctl/host2host-cert/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection host-host -sun::expect-connection host-hhost -moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt deleted file mode 100755 index bc5a1299bd..0000000000 --- a/testing/tests/swanctl/host2host-transport/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -An IPsec transport-mode connection between the hosts moon and sun -is successfully set up. The authentication is based on X.509 certificates. -

-Upon the successful establishment of the IPsec connection, the updown script automatically -inserts iptables-based firewall rules that let pass the protected traffic. -In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat deleted file mode 100755 index 8b103d087a..0000000000 --- a/testing/tests/swanctl/host2host-transport/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ - -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES -moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat deleted file mode 100755 index 683269aadb..0000000000 --- a/testing/tests/swanctl/host2host-transport/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike host-host 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat deleted file mode 100755 index 5cb154074f..0000000000 --- a/testing/tests/swanctl/host2host-transport/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection host-host -sun::expect-connection host-hhost -moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/description.txt b/testing/tests/swanctl/ip-pool-db/description.txt deleted file mode 100755 index 2cac465db2..0000000000 --- a/testing/tests/swanctl/ip-pool-db/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload. -The gateway moon assigns virtual IP addresses from a pool named bigpool that was -created in an SQL database by the command -ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0. -

-The updown script automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnels, carol and dave then ping the client -alice behind the gateway moon. The source IP addresses of the two pings will be the -virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat deleted file mode 100755 index 5133e426f8..0000000000 --- a/testing/tests/swanctl/ip-pool-db/evaltest.dat +++ /dev/null @@ -1,23 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES -moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES -moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES -carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES -carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES -dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES -dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES -dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES -alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf deleted file mode 100755 index 886b31f9b8..0000000000 --- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici -} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf deleted file mode 100755 index 886b31f9b8..0000000000 --- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici -} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf deleted file mode 100755 index 31cf56d246..0000000000 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici - - plugins { - attr-sql { - database = sqlite:///etc/db.d/ipsec.db - } - } -} - -pool { - load = sqlite - database = sqlite:///etc/db.d/ipsec.db -} diff --git a/testing/tests/swanctl/ip-pool/description.txt b/testing/tests/swanctl/ip-pool/description.txt deleted file mode 100755 index 17b1573f69..0000000000 --- a/testing/tests/swanctl/ip-pool/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload. -The gateway moon assigns virtual IP addresses from a simple pool defined in the pools section -of swanctl.conf in a monotonously increasing order. -

-The updown script automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat deleted file mode 100755 index 36ab6c119f..0000000000 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES -moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES -moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES -alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES -alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat deleted file mode 100755 index 16dc236690..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat +++ /dev/null @@ -1,35 +0,0 @@ -moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES -moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES -moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES -moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES -alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES -venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES -carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES -dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES -alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES -venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES -alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES -alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES -dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES -dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES -alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES -venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES -dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES -venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES - diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf deleted file mode 100755 index f021e9c96d..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve -} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf deleted file mode 100755 index f021e9c96d..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve -} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf deleted file mode 100755 index f021e9c96d..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve -} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf deleted file mode 100755 index fba531a52e..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici - - plugins { - attr-sql { - database = sqlite:///etc/db.d/ipsec.db - } - } -} - -pool { - load = sqlite - database = sqlite:///etc/db.d/ipsec.db -} \ No newline at end of file diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf deleted file mode 100755 index f021e9c96d..0000000000 --- a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve -} diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt deleted file mode 100755 index df9f54a66a..0000000000 --- a/testing/tests/swanctl/ip-two-pools/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The hosts alice and carol set up a tunnel connection each to gateway moon. -Both hosts request a virtual IP via the IKEv2 configuration payload. -Gateway moon assigns virtual IP addresses from pool1 with an address range of -10.3.0.0/28 to hosts connecting to the eth0 (192.168.0.1) interface and -virtual IP addresses from pool2 with an address range of 10.4.0.0/28 to hosts -connecting to the eth1 (10.1.0.1) interface. -

-Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and -both ping the gateway moon. diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat deleted file mode 100755 index cb3b60f4de..0000000000 --- a/testing/tests/swanctl/ip-two-pools/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES -moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES -moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES -moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES -alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat deleted file mode 100755 index f0a8f0f64c..0000000000 --- a/testing/tests/swanctl/ip-two-pools/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -alice::swanctl --terminate --ike home -carol::systemctl stop strongswan -alice::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat deleted file mode 100755 index fb6cb52797..0000000000 --- a/testing/tests/swanctl/ip-two-pools/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -alice::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -alice::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -alice::expect-connection home -alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt deleted file mode 100644 index 3641d09ff0..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt +++ /dev/null @@ -1,17 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon -using multiple authentication exchanges (RFC 4739). In a first round -both carol and moon authenticate themselves by sending -an IKEv2 RSA signature accompanied by a certificate. -

-In a second round carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module (EAP-SIM) to -authenticate herself against the remote RADIUS server alice. -In this scenario, triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol. -The gateway forwards all EAP messages to the RADIUS server alice -which also uses a static triplets file. -

-The roadwarrior dave also uses multiple authentication and succeeds -in the first round but sends wrong EAP-SIM triplets in the second round. -As a consequence the radius server alice returns an Access-Reject -message and the gateway moon sends back an EAP_FAILURE. diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat deleted file mode 100644 index a520e5c2cb..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES -moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES -moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES -dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES -moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users deleted file mode 100644 index aa6f98076a..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users +++ /dev/null @@ -1,2 +0,0 @@ -228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB -228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users deleted file mode 100644 index aa6f98076a..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB -228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 54b79b35d0..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown -} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat deleted file mode 100644 index b8b86c8754..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat +++ /dev/null @@ -1,3 +0,0 @@ -228060123456002,33000000000000000000000000000000,33112244,335566778899AABB -228060123456002,34000000000000000000000000000000,34112244,345566778899AABB -228060123456002,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 54b79b35d0..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown -} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat deleted file mode 100644 index 125ee22f9d..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::cat /etc/ipsec.d/triplets.dat -dave::cat /etc/ipsec.d/triplets.dat -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf deleted file mode 100644 index 6781150128..0000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 - diff --git a/testing/tests/swanctl/multi-level-ca/description.txt b/testing/tests/swanctl/multi-level-ca/description.txt deleted file mode 100644 index 64825cb30c..0000000000 --- a/testing/tests/swanctl/multi-level-ca/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The VPN gateway moon controls the access to the hosts alice and -venus by means of two different Intermediate CAs. Access to -alice is granted to users presenting a certificate issued by the Research CA -whereas venus can only be reached with a certificate issued by the -Sales CA. The roadwarriors carol and dave have certificates from -the Research CA and Sales CA, respectively. Therefore carol can access -alice and dave can reach venus. diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat deleted file mode 100644 index cd171e8c90..0000000000 --- a/testing/tests/swanctl/nat-rw-psk/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon:: sleep 6::no output expected::NO -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES -venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES -sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES -alice::cat /var/log/daemon.log::sending keep alive::YES -venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat deleted file mode 100644 index ae6aaed337..0000000000 --- a/testing/tests/swanctl/nat-rw/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon:: sleep 6::no output expected::NO -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES -venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES -sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES -alice::cat /var/log/daemon.log::sending keep alive::YES -venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf deleted file mode 100644 index fd9bf8c7cc..0000000000 --- a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - keep_alive = 5 -} diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf deleted file mode 100644 index fd9bf8c7cc..0000000000 --- a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - keep_alive = 5 -} diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-childless/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-childless/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-ed25519/description.txt b/testing/tests/swanctl/net2net-ed25519/description.txt deleted file mode 100755 index 07839e0ae2..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates containing Ed25519 keys. -Upon the successful establishment of the IPsec tunnel, the updown script automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-ed25519/evaltest.dat b/testing/tests/swanctl/net2net-ed25519/evaltest.dat deleted file mode 100755 index ebbb8ae753..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES -sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf deleted file mode 100755 index a35aea01cc..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf deleted file mode 100755 index a35aea01cc..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat deleted file mode 100755 index 321fd34e2b..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/swanctl/pkcs8/* -sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat deleted file mode 100755 index 1ab4f5f459..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::rm /etc/swanctl/rsa/moonKey.pem -sun::rm /etc/swanctl/rsa/sunKey.pem -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-ed25519/test.conf b/testing/tests/swanctl/net2net-ed25519/test.conf deleted file mode 100755 index 07a3b247a1..0000000000 --- a/testing/tests/swanctl/net2net-ed25519/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-multicast/evaltest.dat b/testing/tests/swanctl/net2net-multicast/evaltest.dat deleted file mode 100644 index 6efa23a00b..0000000000 --- a/testing/tests/swanctl/net2net-multicast/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES -alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES -alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO -bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES -bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES -bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat deleted file mode 100644 index e28c8d4891..0000000000 --- a/testing/tests/swanctl/net2net-multicast/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat deleted file mode 100644 index b323c5e22e..0000000000 --- a/testing/tests/swanctl/net2net-multicast/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat deleted file mode 100755 index 4c56d5299b..0000000000 --- a/testing/tests/swanctl/net2net-psk/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat deleted file mode 100755 index cc6a5bff73..0000000000 --- a/testing/tests/swanctl/net2net-psk/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat deleted file mode 100755 index e935b95d5d..0000000000 --- a/testing/tests/swanctl/net2net-psk/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/description.txt b/testing/tests/swanctl/net2net-pubkey/description.txt deleted file mode 100644 index 1cb90f13fe..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on raw RSA keys loaded in PKCS#1 format. -

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-pubkey/evaltest.dat b/testing/tests/swanctl/net2net-pubkey/evaltest.dat deleted file mode 100644 index b5398044eb..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 29e75f7b8c..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown -} diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 29e75f7b8c..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown -} diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat deleted file mode 100644 index 468caf3e60..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/swanctl/pubkey/* -sun::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat deleted file mode 100644 index fcd4335475..0000000000 --- a/testing/tests/swanctl/net2net-pubkey/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -sun::iptables-restore < /etc/iptables.rules -moon::iptables-restore < /etc/iptables.rules -sun::cd /etc/swanctl; rm x509/* x509ca/* -moon::cd /etc/swanctl; rm x509/* x509ca/* -sun::systemctl start strongswan -moon::systemctl start strongswan -sun::expect-connection gw-gw -moon::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat deleted file mode 100755 index 5a95371419..0000000000 --- a/testing/tests/swanctl/net2net-route/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat deleted file mode 100755 index cc6a5bff73..0000000000 --- a/testing/tests/swanctl/net2net-route/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat deleted file mode 100755 index 5b2546feeb..0000000000 --- a/testing/tests/swanctl/net2net-route/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -sun::iptables-restore < /etc/iptables.rules -moon::iptables-restore < /etc/iptables.rules -sun::systemctl start strongswan -moon::systemctl start strongswan -sun::expect-connection gw-gw -moon::expect-connection gw-gw -alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/swanctl/net2net-route/test.conf b/testing/tests/swanctl/net2net-route/test.conf deleted file mode 100755 index 07a3b247a1..0000000000 --- a/testing/tests/swanctl/net2net-route/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat deleted file mode 100755 index 4c56d5299b..0000000000 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat deleted file mode 100755 index cc6a5bff73..0000000000 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat deleted file mode 100755 index 2d3c8c1e20..0000000000 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf deleted file mode 100755 index 07a3b247a1..0000000000 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat deleted file mode 100755 index 4c56d5299b..0000000000 --- a/testing/tests/swanctl/net2net-start/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ad4c18e437..0000000000 --- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat deleted file mode 100755 index cc6a5bff73..0000000000 --- a/testing/tests/swanctl/net2net-start/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/test.conf b/testing/tests/swanctl/net2net-start/test.conf deleted file mode 100755 index 07a3b247a1..0000000000 --- a/testing/tests/swanctl/net2net-start/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/ocsp-multi-level/description.txt b/testing/tests/swanctl/ocsp-multi-level/description.txt deleted file mode 100644 index cd0ecf1623..0000000000 --- a/testing/tests/swanctl/ocsp-multi-level/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The VPN gateway moon controls the access to the hosts alice and -venus by means of two different Intermediate CAs. Access to -alice is granted to users presenting a certificate issued by the Research CA -whereas venus can only be reached with a certificate issued by the -Sales CA. The roadwarriors carol and dave have certificates from -the Research CA and Sales CA, respectively. Therefore carol can access -alice and dave can reach venus. -

-By setting strictcrlpolicy=yes, the certificate status from the strongSwan, Research and -Sales OCSP servers must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/swanctl/ocsp-signer-cert/description.txt b/testing/tests/swanctl/ocsp-signer-cert/description.txt deleted file mode 100644 index 22496f1cbe..0000000000 --- a/testing/tests/swanctl/ocsp-signer-cert/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -By setting strictcrlpolicy=yes, a strict CRL policy is enforced on -both roadwarrior carol and gateway moon. The online certificate status -is checked via the OCSP server winnetou which possesses an OCSP signer certificate -issued by the strongSwan CA. This certificate contains an OCSPSigning -extended key usage flag. carol's certificate includes an OCSP URI -in an authority information access extension pointing to winnetou. -Therefore no special authorities section information is needed in moon's swanctl.conf. -

-carol can successfully initiate an IPsec connection to moon since -the status of both certificates is good. diff --git a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat deleted file mode 100644 index 45972168dc..0000000000 --- a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES -moon:: cat /var/log/daemon.log::requesting ocsp status::YES -moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES -moon:: cat /var/log/daemon.log::ocsp response is valid::YES -moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::requesting ocsp status::YES -carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES -carol::cat /var/log/daemon.log::ocsp response is valid::YES -carol::cat /var/log/daemon.log::certificate status is good::YES -moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/swanctl/protoport-dual/evaltest.dat b/testing/tests/swanctl/protoport-dual/evaltest.dat deleted file mode 100644 index b5eec4b31f..0000000000 --- a/testing/tests/swanctl/protoport-dual/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES -carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES -moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat deleted file mode 100644 index f0563179c1..0000000000 --- a/testing/tests/swanctl/protoport-dual/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection icmp -moon::expect-connection ssh -carol::expect-connection icmp -carol::expect-connection ssh -carol::swanctl --initiate --child icmp 2> /dev/null -carol::swanctl --initiate --child ssh 2> /dev/null diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 91e32f7ba4..0000000000 --- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown -} diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 91e32f7ba4..0000000000 --- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown -} diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf deleted file mode 100755 index b415e075c3..0000000000 --- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf deleted file mode 100755 index b415e075c3..0000000000 --- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf deleted file mode 100755 index b415e075c3..0000000000 --- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-dnssec/evaltest.dat b/testing/tests/swanctl/rw-dnssec/evaltest.dat deleted file mode 100644 index 73a2ff4b06..0000000000 --- a/testing/tests/swanctl/rw-dnssec/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES -moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules deleted file mode 100644 index b2c425289c..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,28 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow DNSSEC fetch from winnetou --A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf deleted file mode 100644 index 73d926deff..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 6339790cdd..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - - plugins { - ipseckey { - enable = yes - } - unbound { - trust_anchors = /etc/swanctl/dnssec.keys - } - } -} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys deleted file mode 100644 index d059d8476f..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys +++ /dev/null @@ -1,10 +0,0 @@ -; This is a key-signing key, keyid 32329, for . -. IN DNSKEY 257 3 8 ( - AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 - XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b - L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx - E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b - AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 - nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO - O9fOgGnjzAk= - ) diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules deleted file mode 100644 index b2c425289c..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,28 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow DNSSEC fetch from winnetou --A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf deleted file mode 100644 index 73d926deff..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 6339790cdd..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - - plugins { - ipseckey { - enable = yes - } - unbound { - trust_anchors = /etc/swanctl/dnssec.keys - } - } -} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys deleted file mode 100644 index d059d8476f..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys +++ /dev/null @@ -1,10 +0,0 @@ -; This is a key-signing key, keyid 32329, for . -. IN DNSKEY 257 3 8 ( - AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 - XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b - L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx - E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b - AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 - nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO - O9fOgGnjzAk= - ) diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules deleted file mode 100644 index b2c425289c..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,28 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow DNSSEC fetch from winnetou --A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf deleted file mode 100644 index 73d926deff..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 617b812d57..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr - - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS - - plugins { - ipseckey { - enable = yes - } - unbound { - trust_anchors = /etc/swanctl/dnssec.keys - } - } -} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys deleted file mode 100644 index d059d8476f..0000000000 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys +++ /dev/null @@ -1,10 +0,0 @@ -; This is a key-signing key, keyid 32329, for . -. IN DNSKEY 257 3 8 ( - AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 - XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b - L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx - E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b - AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 - nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO - O9fOgGnjzAk= - ) diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat deleted file mode 100644 index a655543f9c..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1582b2b01b..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown -} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 1582b2b01b..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown -} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat deleted file mode 100644 index 0d4f741977..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4d4fc3583e..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown -} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4d4fc3583e..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown -} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat deleted file mode 100644 index 68075b0920..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat deleted file mode 100644 index b529b4bcef..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt deleted file mode 100644 index 42db2e199f..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 digital signature accompanied by an X.509 certificate. -

-Next carol uses the MD5 (EAP-MD5) method of the -Extensible Authentication Protocol to authenticate herself. -

-The gateway forwards all EAP messages to the RADIUS server alice. -In addition to her IKEv2 identitycarol@strongswan.org, roadwarrior -carol uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat deleted file mode 100644 index 3080ec15a6..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index fa363c3455..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat deleted file mode 100644 index 4b05d1f78c..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat deleted file mode 100644 index 193f9e9c8c..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d2cc789b3f..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown -} diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat deleted file mode 100644 index 68075b0920..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt deleted file mode 100644 index f0f241dc1f..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 digital signature accompanied by an X.509 certificate. -

-Next carol uses the MD5 (EAP-MD5) method of the -Extensible Authentication Protocol to authenticate herself. -The gateway forwards all EAP messages to the RADIUS server alice. \ No newline at end of file diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat deleted file mode 100644 index 09a78be834..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e57629f2e4..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown -} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bf614014d4..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat deleted file mode 100644 index 4b05d1f78c..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat deleted file mode 100644 index 193f9e9c8c..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat deleted file mode 100644 index c0026af4ff..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e57629f2e4..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown -} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index e57629f2e4..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown -} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat deleted file mode 100644 index 68075b0920..0000000000 --- a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat deleted file mode 100644 index a1c2d4e881..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received EAP identity.*carol -moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established -moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d9210aeb56..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown -} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d9210aeb56..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown -} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat deleted file mode 100644 index 68075b0920..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf deleted file mode 100644 index 97b89cb611..0000000000 --- a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice carol moon" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 56df2de453..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 56df2de453..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 347e7f7b2b..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-peap { - phase2_method = md5 - phase2_piggyback = yes - } - } -} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat deleted file mode 100644 index e5c82ef20d..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat deleted file mode 100644 index 69f83f67ae..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf deleted file mode 100644 index b3fdc5d70a..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf deleted file mode 100644 index b3fdc5d70a..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf deleted file mode 100644 index c7023a6838..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-peap { - phase2_method = mschapv2 - } - } -} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat deleted file mode 100644 index e5c82ef20d..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat deleted file mode 100644 index 69f83f67ae..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt deleted file mode 100644 index 0040682262..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-radius/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 digital signature accompanied by an X.509 certificate. -

-Next carol and dave et up an EAP-PEAP tunnel each via -gateway moon to the RADIUS server alice authenticated by an X.509 -AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client -authentication based on EAP-MD5. carol presents the correct MD5 password -and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index cb7743f825..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown -} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index cb7743f825..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown -} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bf614014d4..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat deleted file mode 100644 index 6363fcb590..0000000000 --- a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat deleted file mode 100644 index 038a2c1e16..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES -carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat deleted file mode 100644 index c167ba940e..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat +++ /dev/null @@ -1,3 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 11ae80c1ea..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index fa363c3455..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat deleted file mode 100644 index 4b05d1f78c..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat deleted file mode 100644 index 18411263ec..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -carol::cat /etc/ipsec.d/triplets.dat -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat deleted file mode 100644 index 3d3359775d..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index 51b64a74b3..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,72 +0,0 @@ -authorize { - preprocess - chap - mschap - files - suffix - update reply { - EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" - EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" - EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" - EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" - EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" - EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" - EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" - EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" - EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" - } - eap { - ok = return - } - unix - files - expiration - logintime - pap -} - -authenticate { - Auth-Type PAP { - pap - } - Auth-Type CHAP { - chap - } - Auth-Type MS-CHAP { - mschap - } - unix - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bf614014d4..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat deleted file mode 100644 index 476e4e1fc6..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap deleted file mode 100644 index 7d8023951b..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 7d8023951b..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bf614014d4..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat deleted file mode 100644 index a3aff64c3d..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat deleted file mode 100644 index 1e967896e9..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bcd8ef0e33..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown -} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat deleted file mode 100644 index 68075b0920..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf deleted file mode 100644 index 97b89cb611..0000000000 --- a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice carol moon" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat deleted file mode 100644 index c9f3462930..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0b9b399519..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 69bff64c6f..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat deleted file mode 100644 index af9cda6caf..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::swanctl --terminate --ike home -carol::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat deleted file mode 100644 index 1e8e27fdf4..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf deleted file mode 100644 index 97b89cb611..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-only/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice carol moon" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt deleted file mode 100644 index d635ae33ef..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 digital signature accompanied by an X.509 certificate. -

-Next carol uses a mutual EAP-TLS authentication based -on X.509 certificates. The gateway forwards all EAP messages to the -AAA RADIUS server alice. diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat deleted file mode 100644 index 46d88143c4..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11b..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 3b1e09bced..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown - - multiple_authentication = no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 9945befdff..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat deleted file mode 100644 index 4b05d1f78c..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat deleted file mode 100644 index 9b3942d2e9..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat deleted file mode 100755 index 8a8a95f7ec..0000000000 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES -alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES -alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c2c9aa5164..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c2c9aa5164..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8633346d11..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-ttls { - phase2_method = md5 - } - } -} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat deleted file mode 100644 index e5c82ef20d..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat deleted file mode 100644 index 69f83f67ae..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt deleted file mode 100644 index 479350c2fa..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 digital signature accompanied by an X.509 certificate. -

-Next carol and dave et up an EAP-TTLS tunnel each via -gateway moon to the RADIUS server alice authenticated by an X.509 -AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client -authentication based on EAP-MD5. carol presents the correct MD5 password -and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf deleted file mode 100644 index 23cba8d11b..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default deleted file mode 100644 index 2bbe1d7300..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default +++ /dev/null @@ -1,59 +0,0 @@ -server default { - -listen { - type = auth - ipaddr = 10.1.0.10 - port = 0 -} - -authorize { - preprocess - suffix - eap { - ok = return - } - files - expiration - logintime -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - exec - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - eap - remove_reply_message_if_eap - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 85d90ccc1c..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown -} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 85d90ccc1c..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown -} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354f..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index bf614014d4..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown - - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat deleted file mode 100644 index a3aff64c3d..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -alice::killall freeradius -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat deleted file mode 100644 index 6363fcb590..0000000000 --- a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/swanctl; rm rsa/* x509/* -dave::cd /etc/swanctl; rm rsa/* x509/* -alice::freeradius -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw-eap -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat deleted file mode 100755 index a7f04b53a1..0000000000 --- a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES -dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES -moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES -alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES -alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf deleted file mode 100755 index 90f42a1c5e..0000000000 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - hash_and_url = yes -} diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf deleted file mode 100755 index 90f42a1c5e..0000000000 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - hash_and_url = yes -} diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf deleted file mode 100755 index 90f42a1c5e..0000000000 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - hash_and_url = yes -} diff --git a/testing/tests/swanctl/rw-hash-and-url/posttest.dat b/testing/tests/swanctl/rw-hash-and-url/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-hash-and-url/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/description.txt b/testing/tests/swanctl/rw-newhope-bliss/description.txt deleted file mode 100755 index 0a7f2489cf..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm -with a cryptographical strength of 128 bits. Authentication is based on the BLISS -algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for -carol, dave and moon, respectively. -

-Both carol and dave request a virtual IP via the IKEv2 configuration payload. -The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously -increasing order. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat deleted file mode 100755 index be3b867a3b..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES -alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf deleted file mode 100755 index 16dcf16a11..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random -} - -charon-systemd { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf deleted file mode 100755 index 475705026e..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random -} - -charon-systemd { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf deleted file mode 100755 index 16dcf16a11..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random -} - -charon-systemd { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat deleted file mode 100755 index 819964b7df..0000000000 --- a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem -carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem -dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/description.txt b/testing/tests/swanctl/rw-ntru-bliss/description.txt deleted file mode 100644 index 82ebd89ad0..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and -192 bit for carol and dave, respectively. Authentication is based on the BLISS -algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for -carol, dave and moon, respectively. -

-Both carol and dave request a virtual IP via the IKEv2 configuration payload. -The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously -increasing order. -

-The updown script automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat deleted file mode 100644 index 937425fabf..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0a86ed8130..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 0a86ed8130..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 0a86ed8130..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown - - send_vendor_id = yes - fragment_size = 1500 -} diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat deleted file mode 100644 index b117208426..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush -moon::cd /etc/swanctl; rm bliss/* x509/moonCert.der x509ca/strongswan_blissCert.der -carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der -dave::cd /etc/swanctl; rm bliss/* x509/daveCert.der x509ca/strongswan_blissCert.der diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat deleted file mode 100644 index 819964b7df..0000000000 --- a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem -carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem -dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat deleted file mode 100755 index 8a8a95f7ec..0000000000 --- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES -alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES -alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf deleted file mode 100755 index dcef959eff..0000000000 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat deleted file mode 100755 index 11a3f6b069..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES -alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES -alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf deleted file mode 100755 index dcef959eff..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf deleted file mode 100755 index dcef959eff..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf deleted file mode 100755 index 0325fe9a27..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat deleted file mode 100755 index 12ad60eb8a..0000000000 --- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf deleted file mode 100755 index dcef959eff..0000000000 --- a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf deleted file mode 100755 index dcef959eff..0000000000 --- a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = random openssl -} - -charon-systemd { - load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/rw-psk-ppk/posttest.dat b/testing/tests/swanctl/rw-psk-ppk/posttest.dat deleted file mode 100755 index eb21008563..0000000000 --- a/testing/tests/swanctl/rw-psk-ppk/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ppk/pretest.dat b/testing/tests/swanctl/rw-psk-ppk/pretest.dat deleted file mode 100755 index 12ad60eb8a..0000000000 --- a/testing/tests/swanctl/rw-psk-ppk/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat deleted file mode 100755 index 94c1fc82c5..0000000000 --- a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cd /etc/swanctl; rm x509/* x509ca/* -carol::cd /etc/swanctl; rm x509/* x509ca/* -dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/test.conf b/testing/tests/swanctl/rw-pubkey-anon/test.conf deleted file mode 100755 index 1227b9d1c0..0000000000 --- a/testing/tests/swanctl/rw-pubkey-anon/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat deleted file mode 100755 index 2ea5b86650..0000000000 --- a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::rm /etc/swanctl/pubkey/* -carol::rm /etc/swanctl/pubkey/* -dave::rm /etc/swanctl/pubkey/* -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-pubkey-keyid/test.conf b/testing/tests/swanctl/rw-pubkey-keyid/test.conf deleted file mode 100755 index 1227b9d1c0..0000000000 --- a/testing/tests/swanctl/rw-pubkey-keyid/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt deleted file mode 100644 index b95669dadf..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarriors alice and venus sitting behind the NAT router moon set up -tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent -local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net -shunt policy with mode = pass. -

-In order to test the tunnel, the NAT-ed hosts alice and venus -ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat deleted file mode 100644 index dd0d8ec080..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES -venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES -venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES -sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES -sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES -alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES -alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf deleted file mode 100644 index bf799a29b6..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - keep_alive = 5 -} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 91e32f7ba4..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown -} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf deleted file mode 100644 index bf799a29b6..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - keep_alive = 5 -} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat deleted file mode 100644 index a2ee681804..0000000000 --- a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::systemctl stop strongswan -venus::systemctl stop strongswan -sun::systemctl stop strongswan -sun::iptables-restore < /etc/iptables.flush -moon::iptables -t nat -F diff --git a/testing/tests/swanctl/xauth-rsa/description.txt b/testing/tests/swanctl/xauth-rsa/description.txt deleted file mode 100644 index 9e78e41b7d..0000000000 --- a/testing/tests/swanctl/xauth-rsa/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on RSA public key signatures (pubkey) using X.509 certificates -in the first round followed by extended authentication (xauth) of carol and dave -based on user names equal to the IKEv1 identity (carol@strongswan.org and -dave@strongswan.org, respectively) and corresponding XAuth user passwords. -

-Upon the successful establishment of the IPsec tunnel, automatically inserted iptables-based -firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, -carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/xauth-rsa/evaltest.dat b/testing/tests/swanctl/xauth-rsa/evaltest.dat deleted file mode 100644 index 46d66a007c..0000000000 --- a/testing/tests/swanctl/xauth-rsa/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES -moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index fccc73f22a..0000000000 --- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf deleted file mode 100644 index fccc73f22a..0000000000 --- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index fccc73f22a..0000000000 --- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici -} diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat deleted file mode 100644 index eb21008563..0000000000 --- a/testing/tests/swanctl/xauth-rsa/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home -carol::systemctl stop strongswan -dave::systemctl stop strongswan -moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat deleted file mode 100644 index 3d37a86e52..0000000000 --- a/testing/tests/swanctl/xauth-rsa/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -carol::systemctl start strongswan -dave::systemctl start strongswan -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/xauth-rsa/test.conf b/testing/tests/swanctl/xauth-rsa/test.conf deleted file mode 100644 index 1227b9d1c0..0000000000 --- a/testing/tests/swanctl/xauth-rsa/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# charon controlled by swanctl -# -SWANCTL=1