From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 10 Jan 2022 20:14:05 +0000 (+0100)
Subject: testing: Modified ikev2/net2net-rfc3779 scenario
X-Git-Tag: 5.9.5rc1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85d626e9aef9f12233fe79ea0b6fb61c89ff149d;p=thirdparty%2Fstrongswan.git

testing: Modified ikev2/net2net-rfc3779 scenario
---

diff --git a/testing/tests/ikev2/net2net-rfc3779/description.txt b/testing/tests/ikev2/net2net-rfc3779/description.txt
index 778d139b6b..111830ce51 100755
--- a/testing/tests/ikev2/net2net-rfc3779/description.txt
+++ b/testing/tests/ikev2/net2net-rfc3779/description.txt
@@ -5,6 +5,10 @@ allowing the peers to narrow down the address range to their actual subnets <b>1
 and <b>10.2.0.0/16</b>, respectively. These unilaterally proposed traffic selectors must be
 validated by corresponding IP address block constraints.
 <p/>
+In addition to that <b>moon</b> sets its local subnet to <b>10.0.0.0/14</b> but
+which is automatically narrowed down to <b>10.1.0.0/16</b> by <b>sun</b>
+matching it to the IP address constraint in <b>moon</b>'s certificate.
+<p/>
 Upon the successful establishment of the IPsec tunnel, the updown script automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
index 42adb2e8fa..e8f8f9fac2 100755
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32].*net.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32].*net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES
 moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
 moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
@@ -8,8 +8,10 @@ sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained i
 sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
 sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
 sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
+moon:: cat /var/log/daemon.log::TS 192.168.0.2/32 is contained in address block constraint 192.168.0.2/32::YES
+sun::  cat /var/log/daemon.log::TS 192.168.0.1/32 is contained in address block constraint 192.168.0.1/32::YES
 moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
-sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
+sun::  cat /var/log/daemon.log::TS 10.0.0.0/14 is contained in address block constraint 10.1.0.0/16 (subset 10.1.0.0/16)
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf
index bcc2742f78..638050c12b 100755
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/swanctl/swanctl.conf
@@ -1,6 +1,6 @@
 connections {
 
-   gw-gw {
+   host {
       local_addrs  = 192.168.0.1
       remote_addrs = 192.168.0.2 
 
@@ -14,9 +14,13 @@ connections {
          id = sun.strongswan.org 
       }
       children {
-         net-net {
-            local_ts  = 10.1.0.0/16 
-            remote_ts = 10.2.0.0/16 
+         host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+         net {
+            local_ts  = 10.0.0.0/14
+            remote_ts = 0.0.0.0/0
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             rekey_time = 5400
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf
index 12cee0fc6d..c920e699a3 100755
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/swanctl/swanctl.conf
@@ -1,22 +1,22 @@
 connections {
 
-   gw-gw {
+   host {
       local_addrs  = 192.168.0.2
-      remote_addrs = 192.168.0.1 
 
       local {
-         auth = pubkey
-         certs = sunCert.pem
-         id = sun.strongswan.org
       }
       remote {
          auth = pubkey
          id = moon.strongswan.org 
       }
       children {
-         net-net {
+         host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+          net {
             local_ts  = 10.2.0.0/16 
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 0.0.0.0/0
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             rekey_time = 5400
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
index cc6a5bff73..b2376e2b36 100755
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,4 +1,6 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::swanctl --list-sas --raw
+sun::swanctl --list-sas --raw
+moon::swanctl --terminate --ike host 2> /dev/null
 moon::systemctl stop strongswan
 sun::systemctl stop strongswan
 moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 2d3c8c1e20..4c12a5dd97 100755
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
 moon::systemctl start strongswan
 sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
+moon::expect-connection host
+sun::expect-connection host
+moon::swanctl --initiate --child host 2> /dev/null
+moon::swanctl --initiate --child net 2> /dev/null
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63be..0000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem