From 760d7c9b4fb10610423bd987785a87ac7b1df82a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 8 Feb 2019 18:57:38 +0100 Subject: [PATCH] testing: Add scenarios that use XFRM interfaces The network namespace scenario requires a kernel patch in 4.19 and 4.20 kernels (the fix is included in 5.0 kernels). --- .../net2net-xfrmi-netns/description.txt | 22 ++++++++++++ .../net2net-xfrmi-netns/evaltest.dat | 18 ++++++++++ .../hosts/moon/etc/strongswan.conf | 9 +++++ .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++++++++++++++++ .../hosts/sun/etc/strongswan.conf | 9 +++++ .../hosts/sun/etc/swanctl/swanctl.conf | 32 +++++++++++++++++ .../net2net-xfrmi-netns/hosts/sun/etc/updown | 18 ++++++++++ .../net2net-xfrmi-netns/posttest.dat | 8 +++++ .../net2net-xfrmi-netns/pretest.dat | 12 +++++++ .../route-based/net2net-xfrmi-netns/test.conf | 25 ++++++++++++++ .../route-based/net2net-xfrmi/description.txt | 17 ++++++++++ .../route-based/net2net-xfrmi/evaltest.dat | 5 +++ .../hosts/moon/etc/strongswan.conf | 9 +++++ .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++++++++++++++++ .../hosts/sun/etc/strongswan.conf | 9 +++++ .../hosts/sun/etc/swanctl/swanctl.conf | 32 +++++++++++++++++ .../net2net-xfrmi/hosts/sun/etc/updown | 23 +++++++++++++ .../route-based/net2net-xfrmi/posttest.dat | 10 ++++++ .../route-based/net2net-xfrmi/pretest.dat | 14 ++++++++ .../tests/route-based/net2net-xfrmi/test.conf | 25 ++++++++++++++ .../rw-shared-xfrmi/description.txt | 12 +++++++ .../route-based/rw-shared-xfrmi/evaltest.dat | 10 ++++++ .../hosts/carol/etc/strongswan.conf | 9 +++++ .../hosts/carol/etc/swanctl/swanctl.conf | 28 +++++++++++++++ .../hosts/dave/etc/strongswan.conf | 9 +++++ .../hosts/dave/etc/swanctl/swanctl.conf | 28 +++++++++++++++ .../hosts/moon/etc/strongswan.conf | 9 +++++ .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++++++++++++++++++ .../route-based/rw-shared-xfrmi/posttest.dat | 10 ++++++ .../route-based/rw-shared-xfrmi/pretest.dat | 16 +++++++++ .../route-based/rw-shared-xfrmi/test.conf | 25 ++++++++++++++ 31 files changed, 547 insertions(+) create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/description.txt create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/evaltest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/posttest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/pretest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi-netns/test.conf create mode 100644 testing/tests/route-based/net2net-xfrmi/description.txt create mode 100644 testing/tests/route-based/net2net-xfrmi/evaltest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown create mode 100644 testing/tests/route-based/net2net-xfrmi/posttest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi/pretest.dat create mode 100644 testing/tests/route-based/net2net-xfrmi/test.conf create mode 100644 testing/tests/route-based/rw-shared-xfrmi/description.txt create mode 100644 testing/tests/route-based/rw-shared-xfrmi/evaltest.dat create mode 100755 testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/route-based/rw-shared-xfrmi/posttest.dat create mode 100644 testing/tests/route-based/rw-shared-xfrmi/pretest.dat create mode 100644 testing/tests/route-based/rw-shared-xfrmi/test.conf diff --git a/testing/tests/route-based/net2net-xfrmi-netns/description.txt b/testing/tests/route-based/net2net-xfrmi-netns/description.txt new file mode 100644 index 0000000000..10c2d53eca --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/description.txt @@ -0,0 +1,22 @@ +This scenario demonstrates a property of XFRM interfaces that allows +moving them into network namespaces while retaining access to IPsec SAs and +policies in the original namespace. This enables an IKE daemon in one namespace +to provide IPsec tunnels for processes in other namespaces without having to +give them access to the keys and IKE credentials. +

+The gateways use route-based forwarding with XFRM interfaces, with +firewall rules to allow traffic to pass. The IPsec traffic selector used is +0.0.0.0/0, however, specific routing is achieved with routes on the XFRM +interfaces. The IKE daemon does not install routes for CHILD_SAs with outbound +interface ID, so static routes are installed for the target subnets. +

+The XFRM interface on gateway moon is moved into a new network namespace +from which a ping is sent to client bob. It is then moved back out and +alice sends another ping to bob to test if that works too. +

+Gateway sun dynamically creates the XFRM interface via updown script +using the passed unique generated interface ID. +

+Note that the dropped packet seen on the XFRM interface on moon +is an IPv6 Router Solicitation (NDP) sent from that namespace, which doesn't +match the IPsec policy. diff --git a/testing/tests/route-based/net2net-xfrmi-netns/evaltest.dat b/testing/tests/route-based/net2net-xfrmi-netns/evaltest.dat new file mode 100644 index 0000000000..6770a41b4a --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/evaltest.dat @@ -0,0 +1,18 @@ +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::ip netns add xfrmi-test::.*::NO +moon::ip link set xfrm-moon netns xfrmi-test::.*::NO +moon::ip netns exec xfrmi-test ip addr add 10.1.0.42/32 dev xfrm-moon::.*::NO +moon::ip netns exec xfrmi-test ip link set dev xfrm-moon up::.*::NO +moon::ip netns exec xfrmi-test ip route add 10.2.0.0/16 dev xfrm-moon src 10.1.0.42::.*::NO +moon::ip netns exec xfrmi-test ip xfrm state::.*::NO +moon::ip netns exec xfrmi-test ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +alice::ping -c 1 -W 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::NO +moon::ip netns exec xfrmi-test ip link set xfrm-moon netns 1::.*::NO +moon::ip netns del xfrmi-test::.*::NO +moon::ip link set dev xfrm-moon up::.*::NO +moon::ip route add 10.2.0.0/16 dev xfrm-moon::.*::NO +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..15f8ad5bc3 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a9c8f893cc --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_out = 42 + if_id_in = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..15f8ad5bc3 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f98fcfbd6d --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_out = %unique + if_id_in = %unique + + updown = /etc/updown + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown new file mode 100755 index 0000000000..71e904dfc3 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown @@ -0,0 +1,18 @@ +#!/bin/bash + +IF_NAME="xfrmi-${PLUTO_IF_ID_IN}" + +case "${PLUTO_VERB}" in + up-client) + /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME}" -i "${PLUTO_IF_ID_IN}" -d eth0 + ip link set "${IF_NAME}" up + ip route add 10.1.0.0/16 dev "${IF_NAME}" + iptables -A FORWARD -i "${IF_NAME}" -j ACCEPT + iptables -A FORWARD -o "${IF_NAME}" -j ACCEPT + ;; + down-client) + iptables -D FORWARD -i "${IF_NAME}" -j ACCEPT + iptables -D FORWARD -o "${IF_NAME}" -j ACCEPT + ip link del "${IF_NAME}" + ;; +esac diff --git a/testing/tests/route-based/net2net-xfrmi-netns/posttest.dat b/testing/tests/route-based/net2net-xfrmi-netns/posttest.dat new file mode 100644 index 0000000000..634cfe6d5b --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/posttest.dat @@ -0,0 +1,8 @@ +moon::swanctl --terminate --ike gw-gw +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip -s link show xfrm-moon +moon::ip link del xfrm-moon +sun::rm /etc/updown diff --git a/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat b/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat new file mode 100644 index 0000000000..2c337f51ea --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon -i 42 -d eth0 +moon::ip link set xfrm-moon up +moon::ip route add 10.2.0.0/16 dev xfrm-moon +moon::iptables -A FORWARD -i xfrm-moon -j ACCEPT +moon::iptables -A FORWARD -o xfrm-moon -j ACCEPT +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net diff --git a/testing/tests/route-based/net2net-xfrmi-netns/test.conf b/testing/tests/route-based/net2net-xfrmi-netns/test.conf new file mode 100644 index 0000000000..87abc763b9 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi-netns/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/route-based/net2net-xfrmi/description.txt b/testing/tests/route-based/net2net-xfrmi/description.txt new file mode 100644 index 0000000000..11cb005882 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/description.txt @@ -0,0 +1,17 @@ +A connection between the subnets behind the gateways moon and sun +is set up using XFRM interfaces. +

+The gateways use route-based forwarding with XFRM interfaces, with +firewall rules to allow traffic to pass. The IPsec traffic selector used is +0.0.0.0/0, however, specific routing is achieved with routes on the XFRM +interfaces. The IKE daemon does not install routes for CHILD_SAs with outbound +interface ID, so static routes are installed for the target subnets. +

+Both gateways use separate interfaces for in- and outbound traffic (which is +completely optional and mainly for testing purposes, a single interface will +usually be enough). Gateway moon creates them before initiating the +connection, while gateway sun dynamically creates the interfaces via +updown script using the passed unique generated interface IDs. +

+Client alice behind gateway moon pings client bob located +behind gateway sun. diff --git a/testing/tests/route-based/net2net-xfrmi/evaltest.dat b/testing/tests/route-based/net2net-xfrmi/evaltest.dat new file mode 100644 index 0000000000..0bf5cdb5a0 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..15f8ad5bc3 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..356bfb754a --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_out = 1337 + if_id_in = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..15f8ad5bc3 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..09ed4fe6a2 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_in = %unique-dir + if_id_out = %unique-dir + + updown = /etc/updown + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown new file mode 100755 index 0000000000..bf0d0b86ae --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown @@ -0,0 +1,23 @@ +#!/bin/bash + +IF_NAME="xfrm-" +IF_NAME_IN="${IF_NAME}${PLUTO_IF_ID_IN}-in" +IF_NAME_OUT="${IF_NAME}${PLUTO_IF_ID_OUT}-out" + +case "${PLUTO_VERB}" in + up-client) + /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME_OUT}" -i "${PLUTO_IF_ID_OUT}" -d eth0 + /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME_IN}" -i "${PLUTO_IF_ID_IN}" -d eth0 + ip link set "${IF_NAME_OUT}" up + ip link set "${IF_NAME_IN}" up + ip route add 10.1.0.0/16 dev "${IF_NAME_OUT}" + iptables -A FORWARD -o "${IF_NAME_OUT}" -j ACCEPT + iptables -A FORWARD -i "${IF_NAME_IN}" -j ACCEPT + ;; + down-client) + iptables -D FORWARD -o "${IF_NAME_OUT}" -j ACCEPT + iptables -D FORWARD -i "${IF_NAME_IN}" -j ACCEPT + ip link del "${IF_NAME_OUT}" + ip link del "${IF_NAME_IN}" + ;; +esac diff --git a/testing/tests/route-based/net2net-xfrmi/posttest.dat b/testing/tests/route-based/net2net-xfrmi/posttest.dat new file mode 100644 index 0000000000..ba0915d602 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/posttest.dat @@ -0,0 +1,10 @@ +moon::swanctl --terminate --ike gw-gw +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip -s link show xfrm-moon-out +moon::ip -s link show xfrm-moon-in +moon::ip link del xfrm-moon-out +moon::ip link del xfrm-moon-in +sun::rm /etc/updown diff --git a/testing/tests/route-based/net2net-xfrmi/pretest.dat b/testing/tests/route-based/net2net-xfrmi/pretest.dat new file mode 100644 index 0000000000..4160541614 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-out -d eth0 -i 1337 +moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-in -d eth0 -i 42 +moon::ip link set xfrm-moon-out up +moon::ip link set xfrm-moon-in up +moon::ip route add 10.2.0.0/16 dev xfrm-moon-out +moon::iptables -A FORWARD -o xfrm-moon-out -j ACCEPT +moon::iptables -A FORWARD -i xfrm-moon-in -j ACCEPT +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net diff --git a/testing/tests/route-based/net2net-xfrmi/test.conf b/testing/tests/route-based/net2net-xfrmi/test.conf new file mode 100644 index 0000000000..87abc763b9 --- /dev/null +++ b/testing/tests/route-based/net2net-xfrmi/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/route-based/rw-shared-xfrmi/description.txt b/testing/tests/route-based/rw-shared-xfrmi/description.txt new file mode 100644 index 0000000000..776b0d01bc --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to +gateway moon. Both carol and dave request a virtual +IP via IKEv2 configuration payload. +

+The gateway moon uses route-based forwarding with an XFRM +interface, with firewall rules to allow traffic to pass. The IKE daemon +does not install routes for CHILD_SAs with outbound interface ID, so a static +route is installed for the virtual IP subnet via XFRM interface. +

+Both carol and dave ping the client alice behind the +gateway moon. The source IP addresses of the two pings will be the +virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/route-based/rw-shared-xfrmi/evaltest.dat b/testing/tests/route-based/rw-shared-xfrmi/evaltest.dat new file mode 100644 index 0000000000..f693103141 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..ad4c18e437 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..15e80d2aa8 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..ad4c18e437 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5b14d36efe --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..15f8ad5bc3 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7565630e81 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + if_id_out = 42 + if_id_in = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/route-based/rw-shared-xfrmi/posttest.dat b/testing/tests/route-based/rw-shared-xfrmi/posttest.dat new file mode 100644 index 0000000000..7c0aaded65 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/posttest.dat @@ -0,0 +1,10 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip -s link show xfrm-moon +moon::ip link del xfrm-moon diff --git a/testing/tests/route-based/rw-shared-xfrmi/pretest.dat b/testing/tests/route-based/rw-shared-xfrmi/pretest.dat new file mode 100644 index 0000000000..bbf368ac6e --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/pretest.dat @@ -0,0 +1,16 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon -i 42 -d eth0 +moon::ip link set xfrm-moon up +moon::ip route add 10.3.0.0/28 dev xfrm-moon +moon::iptables -A FORWARD -i xfrm-moon -j ACCEPT +moon::iptables -A FORWARD -o xfrm-moon -j ACCEPT +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/route-based/rw-shared-xfrmi/test.conf b/testing/tests/route-based/rw-shared-xfrmi/test.conf new file mode 100644 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/route-based/rw-shared-xfrmi/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 -- 2.39.2