From: Andreas Steffen Date: Fri, 27 Mar 2015 09:56:50 +0000 (+0100) Subject: Added tnc/tnccs-20-pt-tls scenario X-Git-Tag: 5.3.0~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85aa509e84aaebe49a98981941f8514f31872c3f;p=thirdparty%2Fstrongswan.git Added tnc/tnccs-20-pt-tls scenario --- diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt new file mode 100644 index 0000000000..6c79b8c490 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt @@ -0,0 +1,3 @@ +The hosts moon and sun do mutual TNC measurements over IKEv2-EAP +using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat similarity index 81% rename from testing/tests/tnc/tnccs-20-mutual/evaltest.dat rename to testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat index 218c24e4fe..0ef7b5d7d5 100644 --- a/testing/tests/tnc/tnccs-20-mutual/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat @@ -1,3 +1,5 @@ +moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/ipsec.conf rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf similarity index 86% rename from testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/strongswan.conf rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf index 4e1693c16c..953e7fcead 100644 --- a/testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no plugins { diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/hosts/moon/etc/tnc_config rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/ipsec.conf rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf similarity index 88% rename from testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/strongswan.conf rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf index 66f91a6fc7..570126a0e4 100644 --- a/testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no plugins { diff --git a/testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/hosts/sun/etc/tnc_config rename to testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config diff --git a/testing/tests/tnc/tnccs-20-mutual/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/posttest.dat rename to testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat diff --git a/testing/tests/tnc/tnccs-20-mutual/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/pretest.dat rename to testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat diff --git a/testing/tests/tnc/tnccs-20-mutual/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf similarity index 100% rename from testing/tests/tnc/tnccs-20-mutual/test.conf rename to testing/tests/tnc/tnccs-20-mutual-eap/test.conf diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt new file mode 100644 index 0000000000..09ab8e9f17 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt @@ -0,0 +1,3 @@ +The hosts moon and sun do mutual TNC measurements using the +PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat new file mode 100644 index 0000000000..eb996192d0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::PT-TLS authentication complete::YES +sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES +sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..98c415edb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +/* configuration is read from /etc/pts/options */ diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options new file mode 100644 index 0000000000..79ae1e8662 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options @@ -0,0 +1,8 @@ +--connect sun.strongswan.org +--client moon.strongswan.org +--key /etc/ipsec.d/private/moonKey.pem +--cert /etc/ipsec.d/certs/moonCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--mutual +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..fafdac4aa3 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pt-tls-client { + load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config new file mode 100644 index 0000000000..476e8807e6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf new file mode 100644 index 0000000000..ba629a24fd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn pdp + leftcert=sunCert.pem + leftid=sun.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..05ffdb1780 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 + + plugins { + tnc-pdp { + server = sun.strongswan.org + radius { + enable = no + } + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config new file mode 100644 index 0000000000..476e8807e6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat new file mode 100644 index 0000000000..e6ccb14fee --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -0,0 +1 @@ +sun::ipsec stop diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat new file mode 100644 index 0000000000..fab55d11a3 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -0,0 +1,4 @@ +sun::ipsec start +moon::cat /etc/pts/options +moon::sleep 1 +moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf new file mode 100644 index 0000000000..55d6e9fd6a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-20-mutual/description.txt b/testing/tests/tnc/tnccs-20-mutual/description.txt deleted file mode 100644 index 6f01c22d50..0000000000 --- a/testing/tests/tnc/tnccs-20-mutual/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -The hosts moon and sun do mutual TNC measurements using the -PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on X.509 -certificates.