From: Tobias Brunner Date: Tue, 24 Nov 2020 16:33:13 +0000 (+0100) Subject: charon-tkm: Don't use starter/stroke with charon-tkm anymore X-Git-Tag: 5.9.2dr2~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16fcdb460afd09ed3b0668aa017347ed4aaab45a;p=thirdparty%2Fstrongswan.git charon-tkm: Don't use starter/stroke with charon-tkm anymore For the tests, the unused init script that was used before switching to charon-systemd is repurposed to manage the daemon. --- diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am index ad54eafc0e..4939c074a1 100644 --- a/src/charon-tkm/Makefile.am +++ b/src/charon-tkm/Makefile.am @@ -29,7 +29,7 @@ PLUGINS = \ pem \ socket-default \ openssl \ - stroke + vici all: build_charon diff --git a/testing/hosts/default/etc/init.d/charon b/testing/hosts/default/etc/init.d/charon-tkm similarity index 94% rename from testing/hosts/default/etc/init.d/charon rename to testing/hosts/default/etc/init.d/charon-tkm index 477605172b..fa8b8419d8 100755 --- a/testing/hosts/default/etc/init.d/charon +++ b/testing/hosts/default/etc/init.d/charon-tkm @@ -1,12 +1,12 @@ #! /bin/sh ### BEGIN INIT INFO -# Provides: charon +# Provides: charon-tkm # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be +# Short-Description: strongSwan charon-tkm IKE daemon +# Description: with swanctl the strongSwan charon-tkm daemon must be # running in the background ### END INIT INFO @@ -16,12 +16,12 @@ # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon +DESC="strongSwan charon-tkm IKE daemon" +NAME=charon-tkm DAEMON=/usr/local/libexec/ipsec/$NAME DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon +SCRIPTNAME=/etc/init.d/charon-tkm # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 7918485d46..3505504204 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -2,7 +2,7 @@ PKG = tkm SRC = https://git.codelabs.ch/git/$(PKG).git -REV = 8184cc0976a5b00c9d042bef2032223ae261f948 +REV = b99aeb158b7701ea4a77184bff5ff38f8e26013a export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat index 4158625a13..2ba6e0bf87 100644 --- a/testing/tests/tkm/host2host-initiator/evaltest.dat +++ b/testing/tests/tkm/host2host-initiator/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES @@ -11,7 +9,7 @@ moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES -moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO +moon::swanctl --terminate --ike conn1 && sleep 1::no output expected::NO moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES moon::cat /tmp/tkm.log::Resetting ESA context 1::YES moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e52a04f428..0000000000 --- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - right=PH_IP_MOON - rightid=moon.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf index f585edfca2..2e6ff3708e 100644 --- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..f6de734a37 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/host2host-initiator/posttest.dat b/testing/tests/tkm/host2host-initiator/posttest.dat index 34037bc234..09900ddc69 100644 --- a/testing/tests/tkm/host2host-initiator/posttest.dat +++ b/testing/tests/tkm/host2host-initiator/posttest.dat @@ -1,4 +1,4 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/host2host-initiator/pretest.dat b/testing/tests/tkm/host2host-initiator/pretest.dat index 6be277737f..cb5d5b42c0 100644 --- a/testing/tests/tkm/host2host-initiator/pretest.dat +++ b/testing/tests/tkm/host2host-initiator/pretest.dat @@ -1,10 +1,10 @@ -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start -sun::ipsec start +moon::service charon-tkm start +sun::systemctl start strongswan sun::expect-connection host-host -moon::DAEMON_NAME=charon-tkm expect-connection conn1 -moon::DAEMON_NAME=charon-tkm ipsec up conn1 +moon::expect-connection conn1 +moon::swanctl --initiate --child conn1 2> /dev/null diff --git a/testing/tests/tkm/host2host-initiator/test.conf b/testing/tests/tkm/host2host-initiator/test.conf index 9647dc6a2a..52d886dcce 100644 --- a/testing/tests/tkm/host2host-initiator/test.conf +++ b/testing/tests/tkm/host2host-initiator/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat index 2db775799d..5f1af74d54 100644 --- a/testing/tests/tkm/host2host-responder/evaltest.dat +++ b/testing/tests/tkm/host2host-responder/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 6681dad115..0000000000 --- a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - right=PH_IP_MOON - rightid=moon.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - auto=add - type=transport diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf index f585edfca2..2e6ff3708e 100644 --- a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..f6de734a37 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/host2host-responder/posttest.dat b/testing/tests/tkm/host2host-responder/posttest.dat index 34037bc234..09900ddc69 100644 --- a/testing/tests/tkm/host2host-responder/posttest.dat +++ b/testing/tests/tkm/host2host-responder/posttest.dat @@ -1,4 +1,4 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/host2host-responder/pretest.dat b/testing/tests/tkm/host2host-responder/pretest.dat index 9f8c7be1fc..fc85d59124 100644 --- a/testing/tests/tkm/host2host-responder/pretest.dat +++ b/testing/tests/tkm/host2host-responder/pretest.dat @@ -1,10 +1,10 @@ -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start -sun::ipsec start +moon::service charon-tkm start +sun::systemctl start strongswan sun::expect-connection host-host -moon::DAEMON_NAME=charon-tkm expect-connection conn1 -sun::ipsec up host-host +moon::expect-connection conn1 +sun::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/tkm/host2host-responder/test.conf b/testing/tests/tkm/host2host-responder/test.conf index 9647dc6a2a..52d886dcce 100644 --- a/testing/tests/tkm/host2host-responder/test.conf +++ b/testing/tests/tkm/host2host-responder/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat index 74203f82d9..cffacbb13e 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e52a04f428..0000000000 --- a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - right=PH_IP_MOON - rightid=moon.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf index f585edfca2..2e6ff3708e 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..f6de734a37 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat index 99efe7b004..2b0442bab7 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat @@ -1,5 +1,5 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall xfrm_proxy moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat index 9d2d2580c1..4a00923420 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat @@ -1,12 +1,12 @@ -sun::ipsec start -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +sun::systemctl start strongswan +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start +moon::service charon-tkm start moon::expect-file /tmp/tkm.rpc.ees moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & -moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::expect-connection conn1 sun::expect-connection host-host -moon::ping -c 3 192.168.0.2 +moon::ping -c 3 -W 1 -i 0.2 192.168.0.2 diff --git a/testing/tests/tkm/host2host-xfrmproxy/test.conf b/testing/tests/tkm/host2host-xfrmproxy/test.conf index 9647dc6a2a..52d886dcce 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/test.conf +++ b/testing/tests/tkm/host2host-xfrmproxy/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat index 23f6151fc3..52484fcde0 100644 --- a/testing/tests/tkm/multiple-clients/evaltest.dat +++ b/testing/tests/tkm/multiple-clients/evaltest.dat @@ -1,11 +1,7 @@ -sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES -sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES -carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES -dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES -sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES -carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.100/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.2/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.2/32]::YES carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES @@ -15,7 +11,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES -sun::cat /tmp/tkm.log | grep "Certificate chain of CC context 1 is valid" | wc -l::2::YES +sun::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2 sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES sun::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 10ee3e89d2..0000000000 --- a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn host-host - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_SUN - rightid=sun.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf index 2127105da5..2e6ff3708e 100644 --- a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..5b234866b8 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_SUN + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 6ba0a97ce5..0000000000 --- a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn host-host - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - right=PH_IP_SUN - rightid=sun.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf index 2127105da5..2e6ff3708e 100644 --- a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..26a2f815e8 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_SUN + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf.in b/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf.in +++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/multiple-clients/posttest.dat b/testing/tests/tkm/multiple-clients/posttest.dat index 9a4a9bc9dc..bbe05307fd 100644 --- a/testing/tests/tkm/multiple-clients/posttest.dat +++ b/testing/tests/tkm/multiple-clients/posttest.dat @@ -1,5 +1,5 @@ -sun::DAEMON_NAME=charon-tkm ipsec stop +sun::service charon-tkm stop sun::killall tkm_keymanager sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan diff --git a/testing/tests/tkm/multiple-clients/pretest.dat b/testing/tests/tkm/multiple-clients/pretest.dat index 16a8ffd0fb..7efe7424c3 100644 --- a/testing/tests/tkm/multiple-clients/pretest.dat +++ b/testing/tests/tkm/multiple-clients/pretest.dat @@ -1,14 +1,14 @@ -sun::rm /etc/ipsec.secrets -sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -sun::cat /etc/ipsec.conf +sun::rm /etc/swanctl/rsa/* +sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +sun::cat /etc/swanctl/swanctl.conf sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & sun::expect-file /tmp/tkm.rpc.ike -sun::DAEMON_NAME=charon-tkm ipsec start -carol::ipsec start +sun::service charon-tkm start +carol::systemctl start strongswan carol::expect-connection host-host -dave::ipsec start +dave::systemctl start strongswan dave::expect-connection host-host -sun::DAEMON_NAME=charon-tkm expect-connection conn1 -sun::DAEMON_NAME=charon-tkm expect-connection conn2 -carol::ipsec up host-host -dave::ipsec up host-host +sun::expect-connection conn1 +sun::expect-connection conn2 +carol::swanctl --initiate --child host-host 2> /dev/null +dave::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/tkm/multiple-clients/test.conf b/testing/tests/tkm/multiple-clients/test.conf index 1dd36309da..cec3ba2dda 100644 --- a/testing/tests/tkm/multiple-clients/test.conf +++ b/testing/tests/tkm/multiple-clients/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="carol dave" # Used for IPsec logging purposes # IPSECHOSTS="carol dave sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat index f3a06c66b7..95b3267ee2 100644 --- a/testing/tests/tkm/net2net-initiator/evaltest.dat +++ b/testing/tests/tkm/net2net-initiator/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES -sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 21b613d20b..0000000000 --- a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - leftsubnet=10.2.0.0/16 - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - auto=add diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf index a26295090a..2e6ff3708e 100644 --- a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..34124f5d86 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + net-net { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/net2net-initiator/posttest.dat b/testing/tests/tkm/net2net-initiator/posttest.dat index 34037bc234..09900ddc69 100644 --- a/testing/tests/tkm/net2net-initiator/posttest.dat +++ b/testing/tests/tkm/net2net-initiator/posttest.dat @@ -1,4 +1,4 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/net2net-initiator/pretest.dat b/testing/tests/tkm/net2net-initiator/pretest.dat index e30b3b1b9b..6a30f38cc6 100644 --- a/testing/tests/tkm/net2net-initiator/pretest.dat +++ b/testing/tests/tkm/net2net-initiator/pretest.dat @@ -1,10 +1,10 @@ -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start -sun::ipsec start +moon::service charon-tkm start +sun::systemctl start strongswan sun::expect-connection net-net -moon::DAEMON_NAME=charon-tkm expect-connection conn1 -moon::DAEMON_NAME=charon-tkm ipsec up conn1 +moon::expect-connection conn1 +moon::swanctl --initiate --child conn1 2> /dev/null diff --git a/testing/tests/tkm/net2net-initiator/test.conf b/testing/tests/tkm/net2net-initiator/test.conf index afa2accbec..87abc763b9 100644 --- a/testing/tests/tkm/net2net-initiator/test.conf +++ b/testing/tests/tkm/net2net-initiator/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat index d4befada5f..45eb4e4ce3 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES -sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf.in index bd076cf846..b6d0cce82d 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf.in @@ -11,4 +11,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 21b613d20b..0000000000 --- a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - leftsubnet=10.2.0.0/16 - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - auto=add diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf index a26295090a..2e6ff3708e 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..34124f5d86 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + net-net { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat index 24544307aa..2b0442bab7 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat @@ -1,4 +1,5 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop +moon::killall xfrm_proxy moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat index d022155a79..a868e80212 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat @@ -1,12 +1,12 @@ -sun::ipsec start -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +sun::systemctl start strongswan +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start +moon::service charon-tkm start moon::expect-file /tmp/tkm.rpc.ees moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & -moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::expect-connection conn1 sun::expect-connection net-net -alice::ping -c 3 PH_IP_BOB +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/tkm/net2net-xfrmproxy/test.conf b/testing/tests/tkm/net2net-xfrmproxy/test.conf index afa2accbec..87abc763b9 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/test.conf +++ b/testing/tests/tkm/net2net-xfrmproxy/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat index 421924c7cc..3953d207a9 100644 --- a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat @@ -1,8 +1,6 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -moon::sleep 2::wait for rekeying::NO +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +moon::sleep 3::wait for rekeying::NO moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES @@ -20,7 +18,7 @@ moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES -moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]' | wc -l::2::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]::2 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf.in index e9ab536290..89731f2846 100644 --- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf.in @@ -13,4 +13,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e52a04f428..0000000000 --- a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - right=PH_IP_MOON - rightid=moon.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf index f585edfca2..2e6ff3708e 100644 --- a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..f6de734a37 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat index 99efe7b004..2b0442bab7 100644 --- a/testing/tests/tkm/xfrmproxy-expire/posttest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat @@ -1,5 +1,5 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall xfrm_proxy moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat index 9d2d2580c1..4a00923420 100644 --- a/testing/tests/tkm/xfrmproxy-expire/pretest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat @@ -1,12 +1,12 @@ -sun::ipsec start -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +sun::systemctl start strongswan +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start +moon::service charon-tkm start moon::expect-file /tmp/tkm.rpc.ees moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & -moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::expect-connection conn1 sun::expect-connection host-host -moon::ping -c 3 192.168.0.2 +moon::ping -c 3 -W 1 -i 0.2 192.168.0.2 diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf index 9647dc6a2a..52d886dcce 100644 --- a/testing/tests/tkm/xfrmproxy-expire/test.conf +++ b/testing/tests/tkm/xfrmproxy-expire/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat index fbda21e0b4..fca4778251 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat +++ b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat @@ -1,8 +1,6 @@ -moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES -sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -moon::sleep 2::wait for rekeying::NO +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +moon::sleep 3::wait for rekeying::NO sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES @@ -18,7 +16,7 @@ moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator FALSE, spi_loc.*, spi_rem.*)::YES -moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]' | wc -l::2::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::2 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf.in index e9ab536290..89731f2846 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf.in +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf.in @@ -13,4 +13,7 @@ charon-tkm { fingerprint = CA_SPK_HEX } } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } } diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 9dc6412400..0000000000 --- a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=10s - rekeymargin=6s - rekeyfuzz=0% - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - right=PH_IP_MOON - rightid=moon.strongswan.org - ike=aes256-sha512-modp4096! - esp=aes256-sha512-modp4096! - type=transport - auto=add diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf index f585edfca2..2e6ff3708e 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 gmp x509 revocation random +} + +charon-systemd { + load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown } diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..eda900ff74 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + life_time=10s + rekey_time=4s + rand_time=0 + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/xfrmproxy-rekey/posttest.dat b/testing/tests/tkm/xfrmproxy-rekey/posttest.dat index 99efe7b004..2b0442bab7 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/posttest.dat +++ b/testing/tests/tkm/xfrmproxy-rekey/posttest.dat @@ -1,5 +1,5 @@ -moon::DAEMON_NAME=charon-tkm ipsec stop +moon::service charon-tkm stop moon::killall xfrm_proxy moon::killall tkm_keymanager moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log -sun::ipsec stop +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/xfrmproxy-rekey/pretest.dat b/testing/tests/tkm/xfrmproxy-rekey/pretest.dat index 9d2d2580c1..4a00923420 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/pretest.dat +++ b/testing/tests/tkm/xfrmproxy-rekey/pretest.dat @@ -1,12 +1,12 @@ -sun::ipsec start -moon::rm /etc/ipsec.secrets -moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd -moon::cat /etc/ipsec.conf +sun::systemctl start strongswan +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike -moon::DAEMON_NAME=charon-tkm ipsec start +moon::service charon-tkm start moon::expect-file /tmp/tkm.rpc.ees moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & -moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::expect-connection conn1 sun::expect-connection host-host -moon::ping -c 3 192.168.0.2 +moon::ping -c 3 -W 1 -i 0.2 192.168.0.2 diff --git a/testing/tests/tkm/xfrmproxy-rekey/test.conf b/testing/tests/tkm/xfrmproxy-rekey/test.conf index 9647dc6a2a..52d886dcce 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/test.conf +++ b/testing/tests/tkm/xfrmproxy-rekey/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1