From: Andreas Steffen Date: Sat, 27 Mar 2021 21:15:13 +0000 (+0100) Subject: testing: Migrated ha/both-active scenario to vici X-Git-Tag: 5.9.3dr1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=511b860916bc7d61dbdcae2076ad786246dc4e74;p=thirdparty%2Fstrongswan.git testing: Migrated ha/both-active scenario to vici --- diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat index a81ba52312..b75d117606 100644 --- a/testing/tests/ha/both-active/evaltest.dat +++ b/testing/tests/ha/both-active/evaltest.dat @@ -1,9 +1,9 @@ -alice::ipsec status 2> /dev/null::rw\[1].*PASSIVE.*mars.strongswan.org.*carol@strongswan.org::YES -alice::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2].*PASSIVE.*mars.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES +alice::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +alice::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.5 remote-port=4500 remote-id=mars.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.5 remote-port=4500 remote-id=mars.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES alice::cat /var/log/daemon.log::HA segment 1 activated::YES moon:: cat /var/log/daemon.log::HA segment 2 activated::YES alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 363473bddc..0000000000 --- a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=192.168.0.5 - leftcert=marsCert.pem - leftid=@mars.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index d65b96e340..0000000000 --- a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf index 0d10394c04..73874630ed 100644 --- a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf @@ -1,12 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha plugins { ha { - local = PH_IP_ALICE - remote = PH_IP_MOON1 + local = 10.1.0.10 + remote = 10.1.0.1 segment_count = 2 autobalance = 10 fifo_interface = yes diff --git a/testing/tests/ha/both-active/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ha/both-active/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fc2aba4cbc --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = marsCert.pem + id = mars.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 3040f6afab..0000000000 --- a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=192.168.0.5 - rightid=@mars.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf index af5fa19ef1..b116cbfbec 100644 --- a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ha/both-active/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ha/both-active/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b8c6219488 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = mars.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 27d6b8d99f..0000000000 --- a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=192.168.0.5 - rightid=@mars.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf index 16a0a8ca0c..e810522e7e 100644 --- a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ha/both-active/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ha/both-active/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c655be9d57 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = mars.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 363473bddc..0000000000 --- a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=192.168.0.5 - leftcert=marsCert.pem - leftid=@mars.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index d65b96e340..0000000000 --- a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf index 17d54222dd..512cdc552f 100644 --- a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf @@ -1,12 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha plugins { ha { - local = PH_IP_MOON1 - remote = PH_IP_ALICE + local = 10.1.0.1 + remote = 10.1.0.10 segment_count = 2 autobalance = 10 fifo_interface = yes @@ -14,4 +14,3 @@ charon { } } } - diff --git a/testing/tests/ha/both-active/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ha/both-active/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fc2aba4cbc --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = marsCert.pem + id = mars.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat index 867016dba6..ec0537586f 100644 --- a/testing/tests/ha/both-active/posttest.dat +++ b/testing/tests/ha/both-active/posttest.dat @@ -1,7 +1,9 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -alice::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +alice::systemctl stop strongswan +moon::cd /etc/swanctl; rm rsa/marsKey.pem x509/marsCert.pem +alice::cd /etc/swanctl; rm rsa/marsKey.pem x509/marsCert.pem moon::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat index f48873f621..5cecb9b008 100644 --- a/testing/tests/ha/both-active/pretest.dat +++ b/testing/tests/ha/both-active/pretest.dat @@ -9,12 +9,14 @@ moon::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -alice::ipsec start +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem +alice::cd /etc/swanctl; rm rsa/aliceKey.pem x509/aliceCert.pem +moon::systemctl start strongswan +alice::systemctl start strongswan alice::sleep 1 -carol::ipsec start -dave::ipsec start +carol::systemctl start strongswan +dave::systemctl start strongswan carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf index 8056d9ce45..43f8bbcc37 100644 --- a/testing/tests/ha/both-active/test.conf +++ b/testing/tests/ha/both-active/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="venus carol dave" # Used for IPsec logging purposes # IPSECHOSTS="alice moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1