From: Andreas Steffen Date: Fri, 8 Mar 2024 16:15:35 +0000 (+0100) Subject: testing: Added RFC4806 tests X-Git-Tag: 5.9.14rc1~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f8275ababa99238887071d175ca76cd3801fa35;p=thirdparty%2Fstrongswan.git testing: Added RFC4806 tests --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 6321845edf..4cd8d74bdb 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -675,7 +675,7 @@ cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem # Put a copy into the following ikev2 scenarios for t in ocsp-timeouts-good ocsp-disabled ocsp-no-signer-cert ocsp-root-cert \ - ocsp-untrusted-cert + ocsp-untrusted-cert ocsp-rfc4806-signer ocsp-rfc4806-both do TEST="${TEST_DIR}/ikev2/${t}" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa @@ -707,12 +707,15 @@ pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \ --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ --outform pem > ${TEST_CERT} -# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario -TEST="${TEST_DIR}/ikev2/ocsp-local-cert" -mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp -mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp -cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp -cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp +# Put a copy into the following ikev2 scenarios +for t in ocsp-local-cert ocsp-rfc4806-local +do + TEST="${TEST_DIR}/ikev2/${t}" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp + mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp + cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp + cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp +done # Generate mars virtual server certificate TEST="${TEST_DIR}/ha/both-active" diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/description.txt b/testing/tests/ikev2/ocsp-rfc4806-both/description.txt new file mode 100644 index 0000000000..e1645872bd --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/description.txt @@ -0,0 +1,15 @@ +By setting revocation = strict in swanctl.conf, a strict CRL policy +is enforced on both roadwarrior carol and gateway moon. +

+Based on RFC 4806, both carol and moon send an OCSP request via an +IKEv2 CERTREQ payload to their peer which in turn requests online status information +on its own certificate from the OCSP server winnetou on behalf of the other +peer. The OCSP server winnetou possesses an OCSP signer certificate containing +an OCSPSigning Extended Key Usage (EKU) flag issued by the strongSwan CA. +

+carol's certificate includes an OCSP URI in an authority information +access extension pointing to winnetou. Therefore no special authorities +section information is needed in carol's swanctl.conf. +

+carol can successfully initiate an IPsec connection to moon since +the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/evaltest.dat b/testing/tests/ikev2/ocsp-rfc4806-both/evaltest.dat new file mode 100644 index 0000000000..235c2bd521 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/evaltest.dat @@ -0,0 +1,17 @@ +moon::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES +moon:: cat /var/log/daemon.log::received empty OCSP cert request::YES +moon:: cat /var/log/daemon.log::received OCSP response issued by::YES +moon:: cat /var/log/daemon.log::requesting ocsp status::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::ocsp response is valid::2 +moon:: cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::sending OCSP status for certificate::YES +carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::NO +carol::cat /var/log/daemon.log::received empty OCSP cert request::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::sending OCSP status for certificate::YES +carol::cat /var/log/daemon.log::received OCSP response issued by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::2 +carol::cat /var/log/daemon.log::certificate status is good::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d4a7a8060f --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..da9df295db --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = both + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6da01ed6f8 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2698ad57a5 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = both + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/posttest.dat b/testing/tests/ikev2/ocsp-rfc4806-both/posttest.dat new file mode 100644 index 0000000000..20a78fa78f --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/posttest.dat @@ -0,0 +1,3 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/pretest.dat b/testing/tests/ikev2/ocsp-rfc4806-both/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-rfc4806-both/test.conf b/testing/tests/ikev2/ocsp-rfc4806-both/test.conf new file mode 100644 index 0000000000..c5b3ecc435 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-both/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/description.txt b/testing/tests/ikev2/ocsp-rfc4806-local/description.txt new file mode 100644 index 0000000000..1e141d9c2d --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/description.txt @@ -0,0 +1,15 @@ +By setting revocation = strict in swanctl.conf, a strict CRL policy +is enforced on both roadwarrior carol and gateway moon. +

+Based on RFC 4806, carol sends an OCSP request via an IKEv2 CERTREQ payload to +gateway moon which in turn requests online status information on its own +certificate from the OCSP server winnetou on behalf of carol. +The OCSP server winnetou possesses a self-signed OCSP signer certificate +that must be imported locally by the peers into the /etc/swanctl/x509ocsp/ +directory. +

+An authorities section in moon's swanctl.conf defines an OCSP URI +pointing to the OCSP server winnetou. +

+carol can successfully initiate an IPsec connection to moon since +the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/evaltest.dat b/testing/tests/ikev2/ocsp-rfc4806-local/evaltest.dat new file mode 100644 index 0000000000..c213dd785c --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/evaltest.dat @@ -0,0 +1,14 @@ +moon::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES +moon:: cat /var/log/daemon.log::received OCSP cert request claiming trust for::YES +moon:: cat /var/log/daemon.log::requesting ocsp status from::2 +moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*OCSP Self-Signed Authority::2 +moon:: cat /var/log/daemon.log::ocsp response is valid::2 +moon:: cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::sending OCSP status for certificate::YES +carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::NO +carol::cat /var/log/daemon.log::sending OCSP cert request with self-signed OCSP-signer::YES +carol::cat /var/log/daemon.log::received OCSP response issued by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d4a7a8060f --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..9df836eb8b --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = request + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6da01ed6f8 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5b2eb88609 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = reply + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/winnetou/etc/ca/ocsp/ocsp.cgi new file mode 100755 index 0000000000..bf76e6a750 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -0,0 +1,9 @@ +#!/bin/bash + +cd /etc/ca + +echo "Content-type: application/ocsp-response" +echo "" + +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert-self.pem --key ocspKey-self.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/posttest.dat b/testing/tests/ikev2/ocsp-rfc4806-local/posttest.dat new file mode 100644 index 0000000000..6e84fa99ec --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/posttest.dat @@ -0,0 +1,4 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +carol::rm /etc/swanctl/x509ocsp/* +moon::rm /etc/swanctl/x509ocsp/* \ No newline at end of file diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/pretest.dat b/testing/tests/ikev2/ocsp-rfc4806-local/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-rfc4806-local/test.conf b/testing/tests/ikev2/ocsp-rfc4806-local/test.conf new file mode 100644 index 0000000000..c5b3ecc435 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-local/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/description.txt b/testing/tests/ikev2/ocsp-rfc4806-signer/description.txt new file mode 100644 index 0000000000..5f8a7a82e0 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/description.txt @@ -0,0 +1,16 @@ +By setting revocation = strict in swanctl.conf, a strict CRL policy +is enforced on both roadwarrior carol and gateway moon. +

+Based on RFC 4806, carol sends an OCSP request via an IKEv2 CERTREQ payload to +gateway moon which in turn requests online status information on its own +certificate from the OCSP server winnetou on behalf of carol. +The OCSP server winnetou possesses an OCSP signer certificate containing an +OCSPSigning Extended Key Usage (EKU) flag issued by the strongSwan CA. +

+Even though carol's certificate includes an OCSP URI in an authority +information access extension pointing to winnetou, gateway moon still +needs a special authorities section in swanctl.conf in order to be able to request +an OCSP response for its own certificate since that is lacking an OCSP URI. +

+carol can successfully initiate an IPsec connection to moon since +the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/evaltest.dat b/testing/tests/ikev2/ocsp-rfc4806-signer/evaltest.dat new file mode 100644 index 0000000000..62a114cf9c --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/evaltest.dat @@ -0,0 +1,13 @@ +moon::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES +moon:: cat /var/log/daemon.log::received empty OCSP cert request::YES +moon:: cat /var/log/daemon.log::requesting ocsp status::2 +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::2 +moon:: cat /var/log/daemon.log::ocsp response is valid::2 +moon:: cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::sending OCSP status for certificate::YES +carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::NO +carol::cat /var/log/daemon.log::received OCSP response issued by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..d4a7a8060f --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..425dda8047 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = request + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..6da01ed6f8 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..87cd5c792e --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + ocsp = reply + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + ocsp_uris = http://ocsp.strongswan.org:8880 + } +} diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/posttest.dat b/testing/tests/ikev2/ocsp-rfc4806-signer/posttest.dat new file mode 100644 index 0000000000..20a78fa78f --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/posttest.dat @@ -0,0 +1,3 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/pretest.dat b/testing/tests/ikev2/ocsp-rfc4806-signer/pretest.dat new file mode 100644 index 0000000000..87be755a3c --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2/ocsp-rfc4806-signer/test.conf b/testing/tests/ikev2/ocsp-rfc4806-signer/test.conf new file mode 100644 index 0000000000..c5b3ecc435 --- /dev/null +++ b/testing/tests/ikev2/ocsp-rfc4806-signer/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1