From: Tobias Brunner Date: Mon, 15 May 2023 13:55:30 +0000 (+0200) Subject: testing: Add libipsec scenarios that exchange raw ESP packets X-Git-Tag: 5.9.11rc1~8^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5db9b26e32f888a7ef5425da71464ca21c011447;p=thirdparty%2Fstrongswan.git testing: Add libipsec scenarios that exchange raw ESP packets --- diff --git a/testing/tests/libipsec/host2host-cert-raw/description.txt b/testing/tests/libipsec/host2host-cert-raw/description.txt new file mode 100644 index 0000000000..3c2ee919ab --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/description.txt @@ -0,0 +1,11 @@ +A connection between the hosts moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +Firewall marks are used to make the direct ESP connection possible and +still allow IKE traffic to flow freely between the two hosts. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both host-to-host tunnel and firewall, +moon pings sun. diff --git a/testing/tests/libipsec/host2host-cert-raw/evaltest.dat b/testing/tests/libipsec/host2host-cert-raw/evaltest.dat new file mode 100644 index 0000000000..6bcf6e9a3e --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/evaltest.dat @@ -0,0 +1,5 @@ +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..ac1b855642 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf @@ -0,0 +1,24 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + + multiple_authentication = no + + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..f5553c0af1 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown new file mode 100755 index 0000000000..c56509b610 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-host) + iptables -I OUTPUT 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host) + iptables -D OUTPUT -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..ac1b855642 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,24 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + + multiple_authentication = no + + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..cf11e75475 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown new file mode 100755 index 0000000000..c56509b610 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-host) + iptables -I OUTPUT 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host) + iptables -D OUTPUT -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/host2host-cert-raw/posttest.dat b/testing/tests/libipsec/host2host-cert-raw/posttest.dat new file mode 100644 index 0000000000..557ee303d0 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system +sun::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff --git a/testing/tests/libipsec/host2host-cert-raw/pretest.dat b/testing/tests/libipsec/host2host-cert-raw/pretest.dat new file mode 100644 index 0000000000..624728eac5 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/pretest.dat @@ -0,0 +1,9 @@ +moon::sysctl -w net.ipv4.conf.all.rp_filter=2 +sun::sysctl -w net.ipv4.conf.all.rp_filter=2 +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +sun::expect-connection host-host +moon::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/libipsec/host2host-cert-raw/test.conf b/testing/tests/libipsec/host2host-cert-raw/test.conf new file mode 100644 index 0000000000..52d886dcce --- /dev/null +++ b/testing/tests/libipsec/host2host-cert-raw/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert-ipv6/description.txt b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/description.txt rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat similarity index 85% rename from testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat index cdb8ead3c1..b92e716834 100644 --- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat @@ -1,5 +1,5 @@ alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES -moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES -sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1:\:/16\[ipv6-icmp]] remote-ts=\[fec2:\:/16\[ipv6-icmp]]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2:\:/16\[ipv6-icmp]] remote-ts=\[fec1:\:/16\[ipv6-icmp]]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown diff --git a/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/posttest.dat rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat diff --git a/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/pretest.dat rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat diff --git a/testing/tests/libipsec/net2net-cert-ipv6/test.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf similarity index 100% rename from testing/tests/libipsec/net2net-cert-ipv6/test.conf rename to testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt new file mode 100644 index 0000000000..1461b5e564 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt @@ -0,0 +1,11 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is set up. +It connects the two IPv6 subnets hiding behind their respective gateways. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon sends an IPv6 ICMP request to client bob behind sun +using the ping6 command. diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat new file mode 100644 index 0000000000..34e90c759c --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..e2c90b0bfa --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..070310c181 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} \ No newline at end of file diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown new file mode 100755 index 0000000000..40b8fd3033 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client-v6) + ip6tables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client-v6) + ip6tables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..fa2a2a49c7 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici ker_nel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6d3bb72260 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + gw-gw { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /etc/updown + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} \ No newline at end of file diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown new file mode 100755 index 0000000000..40b8fd3033 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client-v6) + ip6tables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client-v6) + ip6tables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat new file mode 100644 index 0000000000..74281868fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat @@ -0,0 +1,11 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat new file mode 100644 index 0000000000..4ae22dc24b --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf new file mode 100644 index 0000000000..5906883b1d --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert-raw/description.txt b/testing/tests/libipsec/net2net-cert-raw/description.txt new file mode 100644 index 0000000000..240f6e8e86 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/libipsec/net2net-cert-raw/evaltest.dat b/testing/tests/libipsec/net2net-cert-raw/evaltest.dat new file mode 100644 index 0000000000..1b4b3fb105 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..e2c90b0bfa --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b063e600d2 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown new file mode 100755 index 0000000000..682ccc701e --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..fa2a2a49c7 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici ker_nel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..36229552b5 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown new file mode 100755 index 0000000000..682ccc701e --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-raw/posttest.dat b/testing/tests/libipsec/net2net-cert-raw/posttest.dat new file mode 100644 index 0000000000..cc6a5bff73 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert-raw/pretest.dat b/testing/tests/libipsec/net2net-cert-raw/pretest.dat new file mode 100644 index 0000000000..2d3c8c1e20 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert-raw/test.conf b/testing/tests/libipsec/net2net-cert-raw/test.conf new file mode 100644 index 0000000000..87abc763b9 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-raw/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1