From d662a7ffad9061248cc954845415af6b17f0512c Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Sun, 15 Aug 2010 11:13:41 +0200 Subject: [PATCH] included bad case in ikev2/rw-eap-ttls-radius scenario --- .../ikev2/rw-eap-ttls-radius/description.txt | 13 ++++++----- .../ikev2/rw-eap-ttls-radius/evaltest.dat | 9 +++++++- .../hosts/alice/etc/raddb/users | 1 + .../hosts/dave/etc/ipsec.conf | 23 +++++++++++++++++++ .../hosts/dave/etc/ipsec.secrets | 3 +++ .../hosts/dave/etc/strongswan.conf | 6 +++++ .../ikev2/rw-eap-ttls-radius/posttest.dat | 2 ++ .../ikev2/rw-eap-ttls-radius/pretest.dat | 7 +++++- .../tests/ikev2/rw-eap-ttls-radius/test.conf | 6 ++--- 9 files changed, 59 insertions(+), 11 deletions(-) create mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt index 0dd19fd7d8..299106b32e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt @@ -1,7 +1,8 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then sets up an EAP-TTLS tunnel via moon to +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication -based on EAP-MD5. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +carol presents the correct MD5 password and succeeds whereas dave chooses the +wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index 0bc2bd2c5a..d7f372a89e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -3,9 +3,16 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users index 247b918e37..50ccf3e763 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users @@ -1 +1,2 @@ carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 0000000000..c581d1bf67 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="ike 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 0000000000..d5631a9f5b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..378bdc5400 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index 920d6a20de..dbe56013ae 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,5 +1,7 @@ moon::ipsec stop carol::ipsec stop +dave::ipsec stop alice::/etc/init.d/radiusd stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index 266d0f5937..f329c99a55 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,9 +1,14 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null alice::cat /etc/raddb/eap.conf +alice::cat /etc/raddb/proxy.conf +alice::cat /etc/raddb/users alice::/etc/init.d/radiusd start moon::ipsec start carol::ipsec start +dave::ipsec start carol::sleep 1 carol::ipsec up home -carol::sleep 1 +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf index 2bd21499bd..5959cfcf4d 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice carol moon" +UMLHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w-d.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" -- 2.47.2