-certpbe aes-128-cbc -macalg sha256 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12}
# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
-for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
+for t in botan/net2net-pkcs12
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-# Put a copy in the openssl-ikev2/critical extension scenario
-TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-
# Generate sun certificate with an unsupported critical X.509 extension
TEST="${TEST_DIR}/ikev2/critical-extension"
TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-# Put a copy in the openssl-ikev2/critical extension scenario
-TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
-cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-
# Generate winnetou server certificate
HOST_KEY="${CA_DIR}/winnetouKey.pem"
HOST_CERT="${CA_DIR}/winnetouCert.pem"
--dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
--outform pem > ${ECDSA_CERT}
-# Put a copy in the openssl-ikev2/ecdsa-certs scenario
+# Put a copy in the ikev2/ecdsa-certs scenario
for t in ecdsa-certs ecdsa-pkcs8
do
- TEST="${TEST_DIR}/openssl-ikev2/${t}"
+ TEST="${TEST_DIR}/ikev2/${t}"
for h in moon carol dave
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
# Generate a moon ECDSA 521 bit certificate
-TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
+TEST="${TEST_DIR}/ikev2/ecdsa-certs"
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
--crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
-# Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
-TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
+# Put CA and EE certificate copies in the ikev2/ecdsa-pkcs8 scenario
+TEST="${TEST_DIR}/ikev2/ecdsa-pkcs8"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
-# Put a copy in the botan openssl-ikev2 and wolfssl net2net-sha3-rsa-cert scenarios
-for d in botan openssl-ikev2 wolfssl
+# Put a copy in the botan and wolfssl net2net-sha3-rsa-cert scenarios
+for d in botan wolfssl
do
TEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert"
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
charon {
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
- multiple_authentication = no
}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
+}
+++ /dev/null
-*.pem
-*.p12
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
-}
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
-extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
-<b>sun</b> discards such certificates and aborts the connection setup.
+++ /dev/null
-moon::cat /var/log/daemon.log::sending end entity cert::YES
-moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
- multiple_authentication = no
-}
-
-libstrongswan {
- x509 {
- enforce_critical = no
- }
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.1
- remote_addrs = 192.168.0.2
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- id = sun.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.1.0.0/16
- remote_ts = 10.2.0.0/16
- esp_proposals = aes128gcm128-ecp256
- }
- }
- version = 2
- mobike = no
- proposals = aes128-sha256-ecp256
- }
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.2
- remote_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = sun.strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.2.0.0/16
- remote_ts = 10.1.0.0/16
- esp_proposals = aes128gcm128-ecp256
- }
- }
- version = 2
- mobike = no
- proposals = aes128-sha256-ecp256
- }
-}
+++ /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
+++ /dev/null
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
-<b>PKCS12</b> format.
-<p/>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+++ /dev/null
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem openssl
-}
-
-charon-systemd {
- load = pem nonce openssl curl vici kernel-netlink socket-default updown
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.1
- remote_addrs = 192.168.0.2
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- id = sun.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.1.0.0/16
- remote_ts = 10.2.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
- }
- }
- version = 2
- mobike = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- pkcs12-moon {
- file = moonCert.p12
- secret = "kUqd8O7mzbjXNJKQ"
- }
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem openssl
-}
-
-charon-systemd {
- load = pem nonce openssl curl vici kernel-netlink socket-default updown
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.2
- remote_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = sun.strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.2.0.0/16
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
- }
- }
- version = 2
- mobike = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- pkcs12-sun {
- file = sunCert.p12
- secret = "IxjQVCF3JGI+MoPi"
- }
-}
+++ /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/swanctl/pkcs12/moonCert.p12
-sun::rm /etc/swanctl/pkcs12/sunCert.p12
+++ /dev/null
-moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
-sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b> with signatures consisting of
-<b>RSA-encrypted SHA-3 hashes</b>.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the updown script automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+++ /dev/null
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
- load = random nonce pem x509 revocation constraints pubkey openssl curl kernel-netlink socket-default updown vici
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.1
- remote_addrs = 192.168.0.2
-
- local {
- auth = pubkey
- certs = moonCert.pem
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- id = sun.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.1.0.0/16
- remote_ts = 10.2.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 5400
- rekey_bytes = 500000000
- rekey_packets = 1000000
- esp_proposals = aes128gcm128-x25519
- }
- }
- version = 2
- mobike = no
- reauth_time = 10800
- proposals = aes128-sha256-x25519
- }
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem x509 revocation constraints pubkey openssl random
-}
-
-charon-systemd {
- load = random nonce pem x509 revocation constraints pubkey openssl curl kernel-netlink socket-default updown vici
-}
+++ /dev/null
-connections {
-
- gw-gw {
- local_addrs = 192.168.0.2
- remote_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- certs = sunCert.pem
- id = sun.strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- net-net {
- local_ts = 10.2.0.0/16
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 5400
- rekey_bytes = 500000000
- rekey_packets = 1000000
- esp_proposals = aes128gcm128-x25519
- }
- }
- version = 2
- mobike = no
- reauth_time = 10800
- proposals = aes128-sha256-x25519
- }
-}
+++ /dev/null
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::systemctl stop strongswan
-sun::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
+++ /dev/null
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 hmac gmp</b> and <b>x509</b>.
-<p/>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-<p/>
-Upon the successful establishment of the IPsec tunnels, the updown script
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
+++ /dev/null
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
-
- integrity_test = yes
- crypto_test {
- on_add = yes
- }
-}
+++ /dev/null
-connections {
-
- home {
- local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- certs = carolCert.pem
- id = carol@strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- home {
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = 3des-sha1-modp2048
- }
- }
- version = 2
- proposals = 3des-sha1-modp2048
- }
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
-
- integrity_test = yes
- crypto_test {
- required = yes
- on_add = yes
- }
-}
+++ /dev/null
-connections {
-
- home {
- local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- certs = daveCert.pem
- id = dave@strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- home {
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
- }
- }
- version = 2
- proposals = aes128-sha256-modp3072
- }
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
-
- integrity_test = yes
- crypto_test {
- on_add = yes
- }
-}
+++ /dev/null
-connections {
-
- rw {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- certs = moonCert.pem
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- }
- children {
- net {
- local_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048
- }
- }
- version = 2
- proposals = aes128-sha256-modp3072,3des-sha1-modp2048
- }
-}
+++ /dev/null
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
-carol::systemctl stop strongswan
-dave::systemctl stop strongswan
-moon::systemctl stop strongswan
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-mmoon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::systemctl start strongswan
-carol::systemctl start strongswan
-dave::systemctl start strongswan
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# charon controlled by swanctl
-#
-SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
