From: Tobias Brunner Date: Fri, 16 May 2025 08:28:16 +0000 (+0200) Subject: testing: Add ikev2/net2net-iptfs scenario X-Git-Tag: 6.0.2dr1~4^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc4fef146a513f657691519d2fd89261d1b28ed4;p=thirdparty%2Fstrongswan.git testing: Add ikev2/net2net-iptfs scenario --- diff --git a/testing/tests/ikev2/net2net-iptfs/description.txt b/testing/tests/ikev2/net2net-iptfs/description.txt new file mode 100755 index 0000000000..6d2e016966 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways moon and sun is set up +enabling IP-TFS (RFC 9347) to aggregate small packets into a single ESP packets and +fragment large packets across multiple ESP packets. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +sends several pings to client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-iptfs/evaltest.dat b/testing/tests/ikev2/net2net-iptfs/evaltest.dat new file mode 100755 index 0000000000..f376c1a956 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=IPTFS.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=IPTFS.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 4 -i 0.1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=.::4 +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::1 +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::1 diff --git a/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..e9a7590b2c --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici + iptfs { + # set to 0.5 seconds for test purposes + init_delay = 500000 + } +} diff --git a/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f914a5b2f4 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + mode = iptfs + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/strongswan.conf new file mode 100755 index 0000000000..5ac39a3371 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..974ddb98b1 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + mode = iptfs + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-iptfs/posttest.dat b/testing/tests/ikev2/net2net-iptfs/posttest.dat new file mode 100755 index 0000000000..82a2de139d --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/posttest.dat @@ -0,0 +1,4 @@ +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-iptfs/pretest.dat b/testing/tests/ikev2/net2net-iptfs/pretest.dat new file mode 100755 index 0000000000..2d3c8c1e20 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2/net2net-iptfs/test.conf b/testing/tests/ikev2/net2net-iptfs/test.conf new file mode 100755 index 0000000000..87abc763b9 --- /dev/null +++ b/testing/tests/ikev2/net2net-iptfs/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1