From: Tobias Brunner Date: Thu, 17 Jun 2021 15:03:39 +0000 (+0200) Subject: testing: Migrate ikev2/host2host-transport-nat scenario to vici X-Git-Tag: 5.9.3dr4~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d8890767c3a1899a4eb6b725cdfc4495720cb34;p=thirdparty%2Fstrongswan.git testing: Migrate ikev2/host2host-transport-nat scenario to vici This also restores the test as it was before the referenced commit so it again, as written in the description, demonstrates that venus is unable to ping sun without IPsec tunnel. Fixes: f27fb58ae0ec ("testing: Update description and test evaluation of host2host-transport-nat") --- diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat deleted file mode 100644 index 4d0a63d800..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES -alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO -venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES -sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 8679a23a41..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn nat-t - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=192.168.0.2 - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 281da123f7..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke -} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 11b0b2db97..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=192.168.0.2 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - -conn nat-t - right=%any - type=transport - auto=add diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 281da123f7..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke -} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 281da123f7..0000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke -} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt similarity index 82% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt rename to testing/tests/ikev2/host2host-transport-nat/description.txt index fc7186c53f..71e151ca62 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt +++ b/testing/tests/ikev2/host2host-transport-nat/description.txt @@ -1,6 +1,6 @@ An IPsec transport-mode connection between the natted host alice and gateway sun -is successfully set up. leftfirewall=yes automatically inserts iptables-based firewall -rules that let pass the decrypted IP packets. In order to test the host-to-host connection +is successfully set up. The updown script automatically inserts iptables-based firewall +rules that let pass the protected traffic. In order to test the host-to-host tunnel alice pings sun.
Note: This scenario also demonstrates two problems with transport-mode and NAT traversal:
    diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat new file mode 100644 index 0000000000..1f4ea65645 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat @@ -0,0 +1,16 @@ +alice::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES +alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +# this won't work due to the IPsec policy on sun for the NAT's public IP +venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO +venus::expect-connection host-host +venus::swanctl --initiate --child host-host 2> /dev/null +venus::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=.* remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES +# now traffic goes via the newer SA between sun and venus +alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO +venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES +sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 0000000000..ad4c18e437 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e760a20223 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..ad4c18e437 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..01b5ac28da --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + host-host { + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf rename to testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf new file mode 100644 index 0000000000..ad4c18e437 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0fdb9b25b5 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat b/testing/tests/ikev2/host2host-transport-nat/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat rename to testing/tests/ikev2/host2host-transport-nat/posttest.dat index 80a3c7b7db..58df9091d0 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/posttest.dat @@ -1,6 +1,6 @@ -alice::ipsec stop -venus::ipsec stop -sun::ipsec stop +alice::systemctl stop strongswan +venus::systemctl stop strongswan +sun::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat similarity index 60% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat rename to testing/tests/ikev2/host2host-transport-nat/pretest.dat index f7054cda05..222eee5e07 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat @@ -4,11 +4,9 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT -sun::ipsec start -alice::ipsec start -venus::ipsec start -sun::expect-connection nat-t -alice::expect-connection nat-t -alice::ipsec up nat-t -venus::expect-connection nat-t -venus::ipsec up nat-t +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan +sun::expect-connection host-host +alice::expect-connection host-host +alice::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf b/testing/tests/ikev2/host2host-transport-nat/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf rename to testing/tests/ikev2/host2host-transport-nat/test.conf index 8c2facefd5..817550391d 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf +++ b/testing/tests/ikev2/host2host-transport-nat/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun alice venus moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1