strongSwan Web Services

From: Andreas Steffen Date: Mon, 1 Apr 2019 14:21:10 +0000 (+0200) Subject: testing: Script building fresh certificates X-Git-Tag: 5.8.0rc1~5^2~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8db01c6a3f28d4eb56da83652727fd0423fada30;p=thirdparty%2Fstrongswan.git testing: Script building fresh certificates --- diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf index fb9e984241..d160c3eb8b 100644 --- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf +++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf @@ -6,11 +6,11 @@ AddHandler cgi-script .cgi ServerAdmin root@strongswan.org - DocumentRoot /etc/openssl/ocsp + DocumentRoot /etc/ca/ocsp ServerName ocsp.strongswan.org ServerAlias 192.168.0.150 DirectoryIndex ocsp.cgi - + Options +ExecCGI Require all granted @@ -22,11 +22,11 @@ Listen 8881 ServerAdmin root@research.strongswan.org - DocumentRoot /etc/openssl/research/ocsp + DocumentRoot /etc/ca/research/ocsp ServerName ocsp.research.strongswan.org ServerAlias ocsp.strongswan.org 192.168.0.150 DirectoryIndex ocsp.cgi - + Options +ExecCGI Require all granted @@ -38,11 +38,11 @@ Listen 8882 ServerAdmin root@sales.strongswan.org - DocumentRoot /etc/openssl/sales/ocsp + DocumentRoot /etc/ca/sales/ocsp ServerName ocsp.sales.strongswan.org ServerAlias ocsp.strongswan.org 192.168.0.150 DirectoryIndex ocsp.cgi - + Options +ExecCGI Require all granted diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl new file mode 100755 index 0000000000..39db1af635 --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/generate-crl @@ -0,0 +1,133 @@ +#!/bin/bash + +export LEAK_DETECTIVE_DISABLE=1 + +ROOT="/var/www" + +## +# strongSwan Root CA +cd /etc/ca + +# copy strongsSwan CA certificate +cp strongswanCert.pem ${ROOT} +cp strongswanCert.der ${ROOT} + +# generate CRL for strongSwan Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --lastcrl strongswan.crl > ${ROOT}/strongswan.crl + +# revoke moon's current certificate +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --reason key-compromise --serial 03 \ + --lastcrl ${ROOT}/strongswan.crl > ${ROOT}/strongswan_moon_revoked.crl + +# generate a base CRL +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --crluri http://crl.strongswan.org/strongswan_delta.crl \ + --lastcrl strongswan.crl --lifetime 30 > ${ROOT}/strongswan_base.crl + +# generate a delta CRL revoking moon's current cert +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --basecrl ${ROOT}/strongswan_base.crl --reason key-compromise \ + --serial 03 --lifetime 15 > ${ROOT}/strongswan_delta.crl + +# generate Hash-and-URL certificates +CERTS_DIR="${ROOT}/certs" +for cert in `ls certs` +do + openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der + mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40` +done + +## +# Research CA +cd /etc/ca/research + +# copy Research CA certificate +cp researchCert.pem ${ROOT} +cp researchCert.der ${ROOT} + +# generate CRL for Research CA +pki --signcrl --cakey researchKey.pem --cacert researchCert.pem \ + > ${ROOT}/research.crl + +# generate Hash-and-URL certificates +CERTS_DIR="${ROOT}/certs/research" +for cert in `ls certs` +do + openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der + mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40` +done + +## +# Sales CA +cd /etc/ca/sales + +# copy Sales CA certificate +cp salesCert.pem ${ROOT} +cp salesCert.der ${ROOT} + +# generate CRL for Sales CA +pki --signcrl --cakey salesKey.pem --cacert salesCert.pem \ + > ${ROOT}/sales.crl + +# generate Hash-and-URL certificates +CERTS_DIR="${ROOT}/certs/sales" +for cert in `ls certs` +do + openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der + mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40` +done + +## +# strongSwan EC Root CA +cd /etc/ca/ecdsa + +# copy ECDSA CA certificate +cp strongswanCert.pem ${ROOT}/strongswan_ecdsaCert.pem +openssl ec -in strongswanKey.pem -outform der -out ${ROOT}/strongswan_ecdsaCert.der +chmod a+r ${ROOT}/strongswan_ecdsaCert.der + +# generate CRL for strongSwan EC Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + > ${ROOT}/strongswan_ecdsa.crl + +## +# strongSwan RFC3779 Root CA +cd /etc/ca/rfc3779 + +# generate CRL for strongSwan RFC3779 Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + > ${ROOT}/strongswan_rfc3779.crl + +## +# strongSwan SHA3-RSA Root CA +cd /etc/ca/sha3-rsa + +# generate CRL for strongSwan SHA3-RSA Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --digest sha3_256 > ${ROOT}/strongswan_sha3_rsa.crl + +## +# strongSwan Ed25519 Root CA +cd /etc/ca/ed25519 + +# generate CRL for strongSwan Ed25519 Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + > ${ROOT}/strongswan_ed25519.crl + +## +# strongSwan Monster Root CA +cd /etc/ca/monster + +# generate CRL for strongSwan Monster Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + > ${ROOT}/strongswan_monster.crl + +## +# strongSwan BlISS Root CA +cd /etc/ca/bliss + +# generate CRL for strongSwan BLISS Root CA +pki --signcrl --cakey strongswan_blissKey.der --cacert strongswan_blissCert.der \ + --lifetime 30 --digest sha3_512 > ${ROOT}/strongswan_bliss.crl diff --git a/testing/hosts/winnetou/etc/ca/index.html b/testing/hosts/winnetou/etc/ca/index.html new file mode 100644 index 0000000000..9de0590191 --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/index.html @@ -0,0 +1,58 @@ + + + strongSwan Web Services + + + + + + + +

strongSwan Testing Environment

+ Test Results +

+ +

+ + +

strongSwan Certification Authorities

+ Root CA: + PEM , + DER , + CRL +

+ Research CA: + PEM , + DER , + CRL +

+ Sales CA: + PEM , + DER , + CRL +

+ ECDSA CA: + PEM , + DER , + CRL +

The strongSwan Project (www.strongswan.org)

+ diff --git a/testing/hosts/winnetou/etc/ca/index.txt.template b/testing/hosts/winnetou/etc/ca/index.txt.template new file mode 100644 index 0000000000..8feccc8516 --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/index.txt.template @@ -0,0 +1,22 @@ +V EE_EXPIRATION 01 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org +V EE_EXPIRATION 02 unknown /C=CH/O=strongSwan Project/OU=Accounting/CN=dave@strongswan.org +V EE_EXPIRATION 03 unknown /C=CH/O=strongSwan Project/CN=moon.strongswan.org +V EE_EXPIRATION 04 unknown /C=CH/O=strongSwan Project/CN=sun.strongswan.org +V EE_EXPIRATION 05 unknown /C=CH/O=strongSwan Project/OU=Sales/CN=alice@strongswan.org +V EE_EXPIRATION 06 unknown /C=CH/O=strongSwan Project/CN=venus.strongswan.org +V EE_EXPIRATION 07 unknown /C=CH/O=strongSwan Project/OU=Research/CN=bob@strongswan.org +R EE_EXPIRATION REVOCATION,keyCompromise 08 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org +V EE_EXPIRATION 09 unknown /C=CH/O=strongSwan Project/OU=Research/serialNumber=002/CN=carol@strongswan.org +R IM_EXPIRATION REVOCATION,CACompromise 0A unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA +V IM_EXPIRATION 0B unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA +V IM_EXPIRATION 0C unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA +V EE_EXPIRATION 0D unknown /C=CH/O=strongSwan Project/OU=SHA-224/CN=moon.strongswan.org +V EE_EXPIRATION 0E unknown /C=CH/O=strongSwan Project/OU=SHA-384/CN=carol@strongswan.org +V EE_EXPIRATION 0F unknown /C=CH/O=strongSwan Project/OU=SHA-512/CN=dave@strongswan.org +V EE_EXPIRATION 10 unknown /C=CH/O=strongSwan Project/OU=OCSP/CN=carol@strongswan.org +V EE_EXPIRATION 11 unknown /C=CH/O=strongSwan Project/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +V EE_EXPIRATION 12 unknown /C=CH/O=strongSwan Project/OU=Virtual VPN Gateway/CN=mars.strongswan.org +V EE_EXPIRATION 13 unknown /C=CH/O=strongSwan Project/CN=winnetou.strongswan.org +V EE_EXPIRATION 14 unknown /C=CH/O=strongSwan Project/CN=aaa.strongswan.org +V IM_EXPIRATION 15 unknown /C=CH/O=strongSwan Project/CN=strongSwan Attribute Authority +V SH_EXPIRATION 16 unknown /C=CH/O=strongSwan Project/CN=strongSwan Legacy AA diff --git a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi new file mode 100755 index 0000000000..230bbf346c --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/ca + +echo "Content-type: application/ocsp-response" +echo "" + +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/hosts/winnetou/etc/ca/research/index.txt.template b/testing/hosts/winnetou/etc/ca/research/index.txt.template new file mode 100644 index 0000000000..f9ca26b59d --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/research/index.txt.template @@ -0,0 +1,4 @@ +V EE_EXPIRATION 01 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org +V EE_EXPIRATION 02 unknown /C=CH/O=strongSwan Project/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org +V EE_EXPIRATION 03 unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA +V EE_EXPIRATION 04 unknown /C=CH/O=strongSwan Project/OU=Research/CN=Duck Research CA diff --git a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi new file mode 100755 index 0000000000..4154f5d823 --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/ca/research + +echo "Content-type: application/ocsp-response" +echo "" + +cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/hosts/winnetou/etc/ca/sales/index.txt.template b/testing/hosts/winnetou/etc/ca/sales/index.txt.template new file mode 100644 index 0000000000..5bc935f30c --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/sales/index.txt.template @@ -0,0 +1,3 @@ +V EE_EXPIRATION 01 unknown /C=CH/O=strongSwan Project/OU=Sales/CN=dave@strongswan.org +V EE_EXPIRATION 02 unknown /C=CH/O=strongSwan Project/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org +V EE_EXPIRATION 03 unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi new file mode 100755 index 0000000000..05d304dc3c --- /dev/null +++ b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/ca/sales + +echo "Content-type: application/ocsp-response" +echo "" + +cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/hosts/winnetou/etc/ldap/ldif.txt b/testing/hosts/winnetou/etc/ldap/ldif.txt index d06621adb2..c3c27cc2f7 100644 --- a/testing/hosts/winnetou/etc/ldap/ldif.txt +++ b/testing/hosts/winnetou/etc/ldap/ldif.txt @@ -1,39 +1,39 @@ -dn: o=Linux strongSwan, c=CH +dn: o=strongSwan Project, c=CH objectclass: organization -o: Linux strongSwan +o: strongSwan Project -dn: cn=Manager,o=Linux strongSwan, c=CH +dn: cn=Manager,o=strongSwan Project, c=CH objectclass: organizationalRole cn: Manager -dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH +dn: cn=strongSwan Root CA, o=strongSwan Project, c=CH objectClass: organizationalRole cn: strongSwan Root CA objectClass: certificationAuthority -authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl -certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl -cACertificate;binary:< file:///etc/openssl/strongswanCert.der +authorityRevocationList;binary:< file:///var/www/strongswan.crl +certificateRevocationList;binary:< file:///var/www/strongswan.crl +cACertificate;binary:< file:///var/www/strongswanCert.der -dn: ou=Research, o=Linux strongSwan, c=CH +dn: ou=Research, o=strongSwan Project, c=CH objectclass: organizationalUnit ou: Research -dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH +dn: cn=Research CA, ou=Research, o=strongSwan Project, c=CH objectClass: organizationalRole cn: Research CA objectClass: certificationAuthority -authorityRevocationList;binary:< file:///etc/openssl/research/research.crl -certificateRevocationList;binary:< file:///etc/openssl/research/research.crl -cACertificate;binary:< file:///etc/openssl/research/researchCert.der +authorityRevocationList;binary:< file:///var/www/research.crl +certificateRevocationList;binary:< file:///var/www/research.crl +cACertificate;binary:< file:///var/www/researchCert.der -dn: ou=Sales, o=Linux strongSwan, c=CH +dn: ou=Sales, o=strongSwan Project, c=CH objectclass: organizationalUnit ou: Sales -dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH +dn: cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH objectClass: organizationalRole cn: Sales CA objectClass: certificationAuthority -authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl -certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl -cACertificate;binary:< file:///etc/openssl/sales/salesCert.der +authorityRevocationList;binary:< file:///var/www/sales.crl +certificateRevocationList;binary:< file:///var/www/sales.crl +cACertificate;binary:< file:///var/www/salesCert.der diff --git a/testing/hosts/winnetou/etc/ldap/slapd.conf b/testing/hosts/winnetou/etc/ldap/slapd.conf index 103d4573f9..17a32c7f3a 100644 --- a/testing/hosts/winnetou/etc/ldap/slapd.conf +++ b/testing/hosts/winnetou/etc/ldap/slapd.conf @@ -15,8 +15,8 @@ argsfile /var/run/openldap/slapd.args ####################################################################### database bdb -suffix "o=Linux strongSwan,c=CH" -rootdn "cn=Manager,o=Linux strongSwan,c=CH" +suffix "o=strongSwan Project,c=CH" +rootdn "cn=Manager,o=strongSwan Project,c=CH" checkpoint 32 30 rootpw tuxmux directory /var/lib/ldap diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html deleted file mode 100644 index 8cbb2c4828..0000000000 --- a/testing/hosts/winnetou/etc/openssl/index.html +++ /dev/null @@ -1,36 +0,0 @@ - - - strongSwan Web Services - - - - - - - -

strongSwan Certification Authority

- Root CA Certificate -

- Certificate Revocation List (CRL) -

- -

strongSwan Testing Environment

- Test Results -

- -

Linux strongSwan (www.strongswan.org)

- diff --git a/testing/hosts/winnetou/etc/strongswan.conf b/testing/hosts/winnetou/etc/strongswan.conf index a69df79abd..ad718b599e 100644 --- a/testing/hosts/winnetou/etc/strongswan.conf +++ b/testing/hosts/winnetou/etc/strongswan.conf @@ -1,5 +1,5 @@ # strongswan.conf - strongSwan configuration file pki { - load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509 + load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509 openssl } diff --git a/testing/scripts/build-certs b/testing/scripts/build-certs new file mode 100755 index 0000000000..649ea776a1 --- /dev/null +++ b/testing/scripts/build-certs @@ -0,0 +1,1585 @@ +#!/bin/bash + +echo "Building certificates" + +# Determine testing directory +DIR="$(dirname `readlink -f $0`)/.." + +# Define some global variables +PROJECT="strongSwan Project" +CA_DIR="${DIR}/hosts/winnetou/etc/ca" +CA_KEY="${CA_DIR}/strongswanKey.pem" +CA_CERT="${CA_DIR}/strongswanCert.pem" +CA_CRL="${CA_DIR}/strongswan.crl" +CA_LAST_CRL="${CA_DIR}/strongswan_last.crl" +CA_CDP="http://crl.strongswan.org/strongswan.crl" +CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl" +CA_OCSP="http://ocsp.strongswan.org:8880" +# +START=`date -d "-2 day" "+%d.%m.%y %T"` +SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day +CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years +IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years +EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years +SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day +IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years +EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years +NOW=`date "+%y%m%d%H%M%SZ"` +# +RESEARCH_DIR="${CA_DIR}/research" +RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem" +RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem" +RESEARCH_CDP="http://crl.strongswan.org/research.crl" +# +SALES_DIR="${CA_DIR}/sales" +SALES_KEY="${SALES_DIR}/salesKey.pem" +SALES_CERT="${SALES_DIR}/salesCert.pem" +SALES_CDP="http://crl.strongswan.org/sales.crl" +# +DUCK_DIR="${CA_DIR}/duck" +DUCK_KEY="${DUCK_DIR}/duckKey.pem" +DUCK_CERT="${DUCK_DIR}/duckCert.pem" +# +ECDSA_DIR="${CA_DIR}/ecdsa" +ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem" +ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem" +ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl" +# +RFC3779_DIR="${CA_DIR}/rfc3779" +RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem" +RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem" +RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl" +# +SHA3_RSA_DIR="${CA_DIR}/sha3-rsa" +SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem" +SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem" +SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl" +# +ED25519_DIR="${CA_DIR}/ed25519" +ED25519_KEY="${ED25519_DIR}/strongswanKey.pem" +ED25519_CERT="${ED25519_DIR}/strongswanCert.pem" +ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl" +# +MONSTER_DIR="${CA_DIR}/monster" +MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem" +MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem" +MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl" +MONSTER_CA_RSA_SIZE="8192" +MONSTER_EE_RSA_SIZE="4096" +# +BLISS_DIR="${CA_DIR}/bliss" +BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der" +BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der" +BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl" +# +RSA_SIZE="3072" +IPSEC_DIR="etc/ipsec.d" +SWANCTL_DIR="etc/swanctl" +TKM_DIR="etc/tkm" +HOSTS="carol dave moon sun alice venus bob" +TEST_DIR="${DIR}/tests" + +# Create directories +mkdir -p ${CA_DIR}/certs +mkdir -p ${RESEARCH_DIR}/certs +mkdir -p ${SALES_DIR}/certs +mkdir -p ${DUCK_DIR}/certs +mkdir -p ${ECDSA_DIR}/certs +mkdir -p ${RFC3779_DIR}/certs +mkdir -p ${SHA3_RSA_DIR}/certs +mkdir -p ${ED25519_DIR}/certs +mkdir -p ${MONSTER_DIR}/certs +mkdir -p ${BLISS_DIR}/certs + +################################################################################ +# strongSwan Root CA # +################################################################################ + +# Generate strongSwan Root CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY} +pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \ + --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \ + --outform pem > ${CA_CERT} + +# Distribute strongSwan Root CA certificate +for h in ${HOSTS} +do + HOST_DIR="${DIR}/hosts/${h}" + cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts + cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca +done + +# Put a copy onto the alice FreeRADIUS server +cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs + +# Gernerate a stale CRL +pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \ + --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL} + +# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl +TEST="${TEST_DIR}/ikev2/crl-ldap" +cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl +cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl + +# Generate host keys +for h in ${HOSTS} +do + HOST_DIR="${DIR}/hosts/${h}" + HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem" + pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY} + + # Put a copy into swanctl directory tree + cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa +done + +# Convert moon private key and Root CA certificate into DER format +HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem +TEST="${TEST_DIR}/tkm/host2host-initiator" +TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der +TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der +openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null +openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT} + +# Put DER-encoded moon private key and Root CA certificate into tkm scenarios +for t in host2host-initiator host2host-responder host2host-xfrmproxy \ + net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey +do + TEST="${TEST_DIR}/tkm/${t}" + mkdir -p ${TEST}/hosts/moon/${TKM_DIR} + cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} +done + +# Put DER_encoded sun private key and Root CA certificate into tkm scenarios +for t in multiple-clients +do + TEST="${TEST_DIR}/tkm/${t}" + mkdir -p ${TEST}/hosts/sun/${TKM_DIR} + cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR} +done + +# Convert moon private key into unencrypted PKCS#8 format +TEST="${TEST_DIR}/ikev2/rw-pkcs8" +HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem +TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem +openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY} + +# Convert carol private key into v1.5 DES encrypted PKCS#8 format +HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem +TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem +openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \ + -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY} + +# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format +HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem +TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem +openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \ + -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY} + +################################################################################ +# Public Key Extraction # +################################################################################ + +# Extract the raw moon public key for the swanctl/net2net-pubkey scenario +TEST="${TEST_DIR}/swanctl/net2net-pubkey" +TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem" +HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} +cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey + +# Put a copy into the ikev2/net2net-pubkey scenario +TEST="${TEST_DIR}/ikev2/net2net-pubkey" +cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs +cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs + +# Put a copy into the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey + +# Put a copy into the swanctl/rw-pubkey-keyid scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey + +# Extract the raw sun public key for the swanctl/net2net-pubkey scenario +TEST="${TEST_DIR}/swanctl/net2net-pubkey" +TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem" +HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +# Put a copy into the ikev2/net2net-pubkey scenario +TEST="${TEST_DIR}/ikev2/net2net-pubkey" +cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs +cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs + +# Put a copy into the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +# Extract the raw carol public key for the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem" +HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +# Put a copy into the swanctl/rw-pubkey-keyid scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" +cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +# Extract the raw dave public key for the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem" +HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" +pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +# Put a copy into the swanctl/rw-pubkey-keyid scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" +cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + +################################################################################ +# Host Certificate Generation # +################################################################################ + +# function issue_cert: serial host cn [ou] +issue_cert() +{ + # does optional OU argument exist? + if [ -z "${4}" ] + then + OU="" + else + OU=" OU=${4}," + fi + + HOST_DIR="${DIR}/hosts/${2}" + HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem" + HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem" + pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \ + --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \ + --outform pem > ${HOST_CERT} + cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem + + # Put a certificate copy into swanctl directory tree + cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509 +} + +# Generate host certificates +issue_cert 01 carol carol@strongswan.org Research +issue_cert 02 dave dave@strongswan.org Accounting +issue_cert 03 moon moon.strongswan.org +issue_cert 04 sun sun.strongswan.org +issue_cert 05 alice alice@strongswan.org Sales +issue_cert 06 venus venus.strongswan.org +issue_cert 07 bob bob@strongswan.org Research + +# Create PKCS#12 file for moon +TEST="${TEST_DIR}/ikev2/net2net-pkcs12" +HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12" +openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \ + -certfile ${CA_CERT} -caname "strongSwan Root CA" \ + -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null + +# Create PKCS#12 file for sun +HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" +SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12" +openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \ + -certfile ${CA_CERT} -caname "strongSwan Root CA" \ + -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null + +# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario +TEST="${TEST_DIR}/botan/net2net-pkcs12" +mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12" +cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12" +mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12" +cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12" + +# Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario +TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12" +cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12" +cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12" + +# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP +TEST="${TEST_DIR}/swanctl/crl-to-cache" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +CN="carol@strongswan.org" +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \ + --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ + --outform pem > ${TEST_CERT} + +# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP +TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +CN="moon.strongswan.org" +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \ + --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \ + --outform pem > ${TEST_CERT} + +# Encrypt carolKey.pem +HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +KEY_PWD="nH5ZQEWtku0RJEZ6" +openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \ + 2> /dev/null + +# Put a copy into the ikev2/dynamic-initiator scenario +TEST="${TEST_DIR}/ikev2/dynamic-initiator" +cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem + +# Put a copy into the ikev1/dynamic-initiator scenario +TEST="${TEST_DIR}/ikev1/dynamic-initiator" +cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem + +# Put a copy into the ikev1/dynamic-responder scenario +TEST="${TEST_DIR}/ikev1/dynamic-responder" +cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem + +# Put a copy into the swanctl/rw-cert scenario +TEST="${TEST_DIR}/swanctl/rw-cert" +cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + +# Generate another carol certificate and revoke it +TEST="${TEST_DIR}/ikev2/crl-revoked" +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="08" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem +pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \ + --serial ${SERIAL} > ${CA_CRL} +cp ${CA_CRL} ${CA_LAST_CRL} + +# Put a copy into the ikev2/ocsp-revoked scenario +TEST="${TEST_DIR}/ikev2/ocsp-revoked" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Generate another carol certificate with SN=002 +TEST="${TEST_DIR}/ikev2/two-certs" +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem" +SERIAL="09" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +################################################################################ +# Research CA Certificate Generation # +################################################################################ + +# Generate a Research CA certificate signed by the Root CA and revoke it +TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" +SERIAL="0A" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem +pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \ + --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL} +rm ${CA_LAST_CRL} + +# Generate Research CA with the same private key as above signed by Root CA +SERIAL="0B" +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ + --outform pem > ${RESEARCH_CERT} +cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Put a certificate copy into the ikev1/multi-level-ca scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" +cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" +cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" +cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" +cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-strict scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/ocsp-multi-level scenario +TEST="${TEST_DIR}/ikev2/ocsp-multi-level" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario +TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the swanctl/multi-level-ca scenario +TEST="${TEST_DIR}/swanctl/multi-level-ca" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + +# Put a certificate copy into the swanctl/ocsp-multi-level scenario +TEST="${TEST_DIR}/swanctl/ocsp-multi-level" +cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + +# Generate Research CA with the same private key as above but invalid CDP +TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \ + --crl "http://crl.strongswan.org/not-available.crl" \ + --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ + --outform pem > ${TEST_CERT} + +################################################################################ +# Sales CA Certificate Generation # +################################################################################ + +# Generate Sales CA signed by Root CA +SERIAL="0C" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \ + --outform pem > ${SALES_CERT} +cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Put a certificate copy into the ikev1/multi-level-ca scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" +cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" +cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" +cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" +cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/multi-level-ca-strict scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/ocsp-multi-level scenario +TEST="${TEST_DIR}/ikev2/ocsp-multi-level" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario +TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" +cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Put a certificate copy into the swanctl/multi-level-ca scenario +TEST="${TEST_DIR}/swanctl/multi-level-ca" +cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + +# Put a certificate copy into the swanctl/ocsp-multi-level scenario +TEST="${TEST_DIR}/swanctl/ocsp-multi-level" +cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + +# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate +TEST="${TEST_DIR}/ikev2/strong-keys-certs" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem" +KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW" +CN="moon.strongswan.org" +SERIAL="0D" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \ + --digest sha224 --outform pem > ${TEST_CERT} +openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ + 2> /dev/null +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem" +KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA" +CN="carol@strongswan.org" +SERIAL="0E" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \ + --digest sha384 --outform pem > ${TEST_CERT} +openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ + 2> /dev/null +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate +TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem" +TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem" +KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v" +CN="dave@strongswan.org" +SERIAL="0F" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \ + --digest sha512 --outform pem > ${TEST_CERT} +openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ + 2> /dev/null +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate another carol certificate with an OCSP URI +TEST="${TEST_DIR}/ikev2/ocsp-signer-cert" +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="10" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \ + --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Put a copy into the ikev2/ocsp-timeouts-good scenario +TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy into the swanctl/ocsp-signer-cert scenario +TEST="${TEST_DIR}/swanctl/ocsp-signer-cert" +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + +# Put a copy into the swanctl/ocsp-disabled scenario +TEST="${TEST_DIR}/swanctl/ocsp-disabled" +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + +# Generate an OCSP Signing certificate for the strongSwan Root CA +TEST_KEY="${CA_DIR}/ocspKey.pem" +TEST_CERT="${CA_DIR}/ocspCert.pem" +CN="ocsp.strongswan.org" +OU="OCSP Signing Authority" +SERIAL="11" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ + --flag ocspSigning --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate a self-signed OCSP Signing certificate +TEST_KEY="${CA_DIR}/ocspKey-self.pem" +TEST_CERT="${CA_DIR}/ocspCert-self.pem" +OU="OCSP Self-Signed Authority" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \ + --not-before "${START}" --not-after "${CA_END}" --san ${CN} \ + --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ + --outform pem > ${TEST_CERT} + +# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario +TEST="${TEST_DIR}/ikev2/ocsp-local-cert" +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts +cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts + +# Generate mars virtual server certificate +TEST="${TEST_DIR}/ha/both-active" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem" +CN="mars.strongswan.org" +OU="Virtual VPN Gateway" +SERIAL="12" +mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private +mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ + --flag serverAuth --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Put a copy into the mirrored gateway +mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private +mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs +cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs + +# Put a copy into the ha/active-passive and ikev2-redirect-active scenarios +for t in "ha/active-passive" "ikev2/redirect-active" +do + TEST="${TEST_DIR}/${t}" + for h in alice moon + do + mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private + mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs + cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private + cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs + done +done + +# Generate winnetou server certificate +HOST_KEY="${CA_DIR}/winnetouKey.pem" +HOST_CERT="${CA_DIR}/winnetouCert.pem" +CN="winnetou.strongswan.org" +SERIAL="13" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ + --flag serverAuth --outform pem > ${HOST_CERT} +cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate AAA server certificate +TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap" +TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem" +TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem" +CN="aaa.strongswan.org" +SERIAL="14" +cd "${TEST}/hosts/alice/${SWANCTL_DIR}" +mkdir -p rsa x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ +--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ + --flag serverAuth --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Put a copy into various tnc scenarios +for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap +do + cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}" + mkdir -p rsa x509 + cp ${TEST_KEY} rsa + cp ${TEST_CERT} x509 +done + +# Put a copy into the alice FreeRADIUS server +cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs + +################################################################################ +# strongSwan Attribute Authority # +################################################################################ + +# Generate Attritbute Authority certificate +TEST="${TEST_DIR}/ikev2/acert-cached" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem" +CN="strongSwan Attribute Authority" +SERIAL="15" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Generate carol's attribute certificate for sales and finance +ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/01.pem --group sales --group finance \ + --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} + +# Generate dave's expired attribute certificate for sales +ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/02.pem --group sales \ + --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} + +# Generate dave's attribute certificate for marketing +ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/02.pem --group marketing \ + --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM} + +# Put a copy into the ikev2/acert-fallback scenario +TEST="${TEST_DIR}/ikev2/acert-fallback" +cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts + +# Generate carol's expired attribute certificate for finance +ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/01.pem --group finance \ + --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} + +# Generate carol's valid attribute certificate for sales +ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/01.pem --group sales \ + --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS} + +# Put a copy into the ikev2/acert-inline scenarion +TEST="${TEST_DIR}/ikev2/acert-inline" +cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts +cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts +cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts + +# Generate a short-lived Attritbute Authority certificate +CN="strongSwan Legacy AA" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem" +SERIAL="16" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem + +# Genrate dave's attribute certificate for sales from expired AA +ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem +pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ + --in ${CA_DIR}/certs/02.pem --group sales \ + --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} + +################################################################################ +# strongSwan Root CA index for OCSP server # +################################################################################ + +# generate index.txt file for Root OCSP server +cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt +sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt +sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt +sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt +sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt + +################################################################################ +# Research CA # +################################################################################ + +# Generate a carol research certificate +TEST="${TEST_DIR}/ikev2/multi-level-ca" +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="01" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ + --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem + +# Put a copy in the ikev2/multilevel-ca-cr-init scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-ldap scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-ldap scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-revoked scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-skipped scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-strict scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/ocsp-multilevel scenario +TEST="${TEST_DIR}/ikev2/ocsp-multi-level" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca-cr-init scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs + +# Put a copy in the swanctl/multilevel-ca scenario +TEST="${TEST_DIR}/swanctl/multi-level-ca" +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + +# Put a copy in the swanctl/ocsp-multilevel scenario +TEST="${TEST_DIR}/swanctl/ocsp-multi-level" +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + +# Generate a carol research certificate without a CDP +TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private + +# Generate an OCSP Signing certificate for the Research CA +TEST_KEY="${RESEARCH_DIR}/ocspKey.pem" +TEST_CERT="${RESEARCH_DIR}/ocspCert.pem" +OU="Research OCSP Signing Authority" +CN="ocsp.research.strongswan.org" +SERIAL="02" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ + --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem + +# Generate a Sales CA certificate signed by the Research CA +TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem" +SERIAL="03" +pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ + --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \ + --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem + +################################################################################ +# Duck Research CA # +################################################################################ + +# Generate a Duck Research CA certificate signed by the Research CA +SERIAL="04" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY} +pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ + --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \ + --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT} +cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem + +# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen" +cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts + +# Generate a carol certificate signed by the Duck Research CA +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="01" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \ + --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem + +# Generate index.txt file for Research OCSP server +cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt +sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt + +################################################################################ +# Sales CA # +################################################################################ + +# Generate a dave sales certificate +TEST="${TEST_DIR}/ikev2/multi-level-ca" +TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="01" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \ + --crl ${SALES_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem + +# Put a copy in the ikev2/multilevel-ca-cr-init scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-ldap scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/multilevel-ca-strict scenario +TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev2/ocsp-multilevel scenario +TEST="${TEST_DIR}/ikev2/ocsp-multi-level" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca-cr-init scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the ikev1/multilevel-ca-cr-resp scenario +TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs + +# Put a copy in the swanctl/multilevel-ca scenario +TEST="${TEST_DIR}/swanctl/multi-level-ca" +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 + +# Put a copy in the swanctl/ocsp-multilevel scenario +TEST="${TEST_DIR}/swanctl/ocsp-multi-level" +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 + +# Generate a dave sales certificate with an inactive OCSP URI and no CDP +TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" +TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" +pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \ + --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT} +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private + +# Generate an OCSP Signing certificate for the Sales CA +TEST_KEY="${SALES_DIR}/ocspKey.pem" +TEST_CERT="${SALES_DIR}/ocspCert.pem" +OU="Sales OCSP Signing Authority" +CN="ocsp.sales.strongswan.org" +SERIAL="02" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ + --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem + +# Generate a Research CA certificate signed by the Sales CA +TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem" +SERIAL="03" +pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ + --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ + --crl ${SALES_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem + +# generate index.txt file for Sales OCSP server +cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt +sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt + +################################################################################ +# strongSwan EC Root CA # +################################################################################ + +# Generate strongSwan EC Root CA +pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY} +pki --self --type ecdsa --in ${ECDSA_KEY} \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \ + --outform pem > ${ECDSA_CERT} + +# Put a copy in the openssl-ikev2/ecdsa-certs scenario +TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs" +cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + +# Generate a moon ECDSA 521 bit certificate +MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem" +MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="01" +pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY} +pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ + --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \ + --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT} +cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem + +# Generate a carol ECDSA 256 bit certificate +CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem" +CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="02" +pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY} +pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ + --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \ + --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT} +cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem + +# Generate a dave ECDSA 384 bit certificate +DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem" +DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="03" +pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY} +pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ + --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \ + --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT} +cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem + +# Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario +TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8" +cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca +cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 + +# Convert moon private key into unencrypted PKCS#8 format +TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem +openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY} + +# Convert carol private key into v1.5 DES encrypted PKCS#8 format +TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem +openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \ + -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY} + +# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format +TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem +openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \ + -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY} + +# Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario +TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs" +cd ${TEST}/hosts/moon/${SWANCTL_DIR} +mkdir -p ecdsa x509 x509ca +cp ${MOON_KEY} ecdsa +cp ${MOON_CERT} x509 +cp ${ECDSA_CERT} x509ca +cd ${TEST}/hosts/carol/${SWANCTL_DIR} +mkdir -p ecdsa x509 x509ca +cp ${CAROL_KEY} ecdsa +cp ${CAROL_CERT} x509 +cp ${ECDSA_CERT} x509ca +cd ${TEST}/hosts/dave/${SWANCTL_DIR} +mkdir -p ecdsa x509 x509ca +cp ${DAVE_KEY} ecdsa +cp ${DAVE_CERT} x509 +cp ${ECDSA_CERT} x509ca + +################################################################################ +# strongSwan RFC3779 Root CA # +################################################################################ + +# Generate strongSwan RFC3779 Root CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY} +pki --self --type rsa --in ${RFC3779_KEY} \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \ + --addrblock "10.1.0.0-10.2.255.255" \ + --addrblock "10.3.0.1-10.3.3.232" \ + --addrblock "192.168.0.0/24" \ + --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \ + --outform pem > ${RFC3779_CERT} + +# Put a copy in the ikev2/net2net-rfc3779 scenario +TEST="${TEST_DIR}/ikev2/net2net-rfc3779" +mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts +cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts +cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts + +# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario +TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca +cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + +# Generate a moon RFC3779 certificate +TEST="${TEST_DIR}/ikev2/net2net-rfc3779" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="01" +mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private +mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ + --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \ + --addrblock "fec0::1/128" --addrblock "fec1::/16" \ + --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem + +# Put a copy in the ipv6 scenarios +for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2 +do + cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}" + mkdir -p rsa x509 x509ca + cp ${TEST_KEY} rsa + cp ${TEST_CERT} x509 + cp ${RFC3779_CERT} x509ca +done + +# Generate a sun RFC3779 certificate +TEST="${TEST_DIR}/ikev2/net2net-rfc3779" +TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem" +TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem" +CN="sun.strongswan.org" +SERIAL="02" +mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private +mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ + --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \ + --addrblock "fec0::2/128" --addrblock "fec2::/16" \ + --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem + +# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario +cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}" +mkdir -p rsa x509 x509ca +cp ${TEST_KEY} rsa +cp ${TEST_CERT} x509 +cp ${RFC3779_CERT} x509ca + +# Generate a carol RFC3779 certificate +TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="03" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ + --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \ + --addrblock "fec0::10/128" \ + --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem + +# Generate a carol RFC3779 certificate +TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="04" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ + --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \ + --addrblock "fec0::20/128" \ + --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem + +################################################################################ +# strongSwan SHA3-RSA Root CA # +################################################################################ + +# Generate strongSwan SHA3-RSA Root CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY} +pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \ + --outform pem > ${SHA3_RSA_CERT} + +# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario +TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert" +cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + +# Generate a sun SHA3-RSA certificate +SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" +CN="sun.strongswan.org" +SERIAL="01" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY} +pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ + --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ + --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT} +cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem + +# Generate a moon SHA3-RSA certificate +MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" +MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="02" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY} +pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ + --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ + --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT} +cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem + +# Put a copy in the botan/net2net-sha3-rsa-cert scenario +TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert" +cd ${TEST}/hosts/moon/${SWANCTL_DIR} +mkdir -p rsa x509 x509ca +cp ${MOON_KEY} rsa +cp ${MOON_CERT} x509 +cp ${SHA3_RSA_CERT} x509ca +cd ${TEST}/hosts/sun/${SWANCTL_DIR} +mkdir -p rsa x509 x509ca +cp ${SUN_KEY} rsa +cp ${SUN_CERT} x509 +cp ${SHA3_RSA_CERT} x509ca + +# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario +TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa" +cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa +cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + +# Generate a carol SHA3-RSA certificate +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="03" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ + --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem + +# Generate a dave SHA3-RSA certificate +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="04" +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ + --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem + +################################################################################ +# strongSwan Ed25519 Root CA # +################################################################################ + +# Generate strongSwan Ed25519 Root CA +pki --gen --type ed25519 --outform pem > ${ED25519_KEY} +pki --self --type ed25519 --in ${ED25519_KEY} \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.1" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.2" \ + --outform pem > ${ED25519_CERT} + +# Put a copy in the swanctl/net2net-ed25519 scenario +TEST="${TEST_DIR}/swanctl/net2net-ed25519" +cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + +# Generate a sun Ed25519 certificate +SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem" +SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" +CN="sun.strongswan.org" +SERIAL="01" +pki --gen --type ed25519 --outform pem > ${SUN_KEY} +pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ + --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \ + --crl ${ED25519_CDP} --outform pem > ${SUN_CERT} +cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem + +# Generate a moon Ed25519 certificate +MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem" +MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="02" +pki --gen --type ed25519 --outform pem > ${MOON_KEY} +pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ + --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \ + --crl ${ED25519_CDP} --outform pem > ${MOON_CERT} +cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem + +# Put a copy in the botan/net2net-ed25519 scenario +TEST="${TEST_DIR}/botan/net2net-ed25519" +cd ${TEST}/hosts/moon/${SWANCTL_DIR} +mkdir -p pkcs8 x509 x509ca +cp ${MOON_KEY} pkcs8 +cp ${MOON_CERT} x509 +cp ${ED25519_CERT} x509ca +cd ${TEST}/hosts/sun/${SWANCTL_DIR} +mkdir -p pkcs8 x509 x509ca +cp ${SUN_KEY} pkcs8 +cp ${SUN_CERT} x509 +cp ${ED25519_CERT} x509ca + +# Put a copy in the ikev2/net2net-ed25519 scenario +TEST="${TEST_DIR}/ikev2/net2net-ed25519" +cd ${TEST}/hosts/moon/${IPSEC_DIR} +mkdir -p cacerts certs private +cp ${MOON_KEY} private +cp ${MOON_CERT} certs +cp ${ED25519_CERT} cacerts +cd ${TEST}/hosts/sun/${IPSEC_DIR} +mkdir -p cacerts certs private +cp ${SUN_KEY} private +cp ${SUN_CERT} certs +cp ${ED25519_CERT} cacerts + +# Put a copy in the swanctl/rw-ed25519-certpol scenario +TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol" +cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 +cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + +# Generate a carol Ed25519 certificate +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="03" +pki --gen --type ed25519 --outform pem > ${TEST_KEY} +pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \ + --crl ${ED25519_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem + +# Generate a dave Ed25519 certificate +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="04" +pki --gen --type ed25519 --outform pem > ${TEST_KEY} +pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ + --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \ + --crl ${ED25519_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem + +################################################################################ +# strongSwan Monster Root CA # +################################################################################ + +# Generate strongSwan Monster Root CA +pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY} +pki --self --type rsa --in ${MONSTER_KEY} \ + --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \ + --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \ + --outform pem > ${MONSTER_CERT} + +# Put a copy in the ikev2/after-2038-certs scenario +TEST="${TEST_DIR}/ikev2/after-2038-certs" +cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ +cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ + +# Generate a moon Monster certificate +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="01" +pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ + --in ${TEST_KEY} --san ${CN} \ + --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \ + --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem + +# Generate a carol Monster certificate +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="02" +pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ + --in ${TEST_KEY} --san ${CN} \ + --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \ + --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem + +################################################################################ +# Bliss CA # +################################################################################ + +# Generate BLISS Root CA with 192 bit security strength +pki --gen --type bliss --size 4 > ${BLISS_KEY} +pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT} + +# Put a copy in the ikev2/rw-newhope-bliss scenario +TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" +cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ +cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/ +cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ + +# Put a copy in the ikev2/rw-ntru-bliss scenario +TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" +cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ +cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/ +cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ + +# Put a copy in the swanctl/rw-ntru-bliss scenario +TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" +cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/ +cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/ +cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/ + +# Generate a carol BLISS certificate with 128 bit security strength +TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" +TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der" +TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der" +CN="carol@strongswan.org" +SERIAL="01" +pki --gen --type bliss --size 1 > ${TEST_KEY} +pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \ + --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} +cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der + +# Put a copy in the ikev2/rw-ntru-bliss scenario +TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/ +cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/ + +# Put a copy in the swanctl/rw-ntru-bliss scenario +TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/ +cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/ + +# Generate a dave BLISS certificate with 160 bit security strength +TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" +TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der" +TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der" +CN="dave@strongswan.org" +SERIAL="02" +pki --gen --type bliss --size 3 > ${TEST_KEY} +pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \ + --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} +cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der + +# Put a copy in the ikev2/rw-ntru-bliss scenario +TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/ +cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/ + +# Put a copy in the swanctl/rw-ntru-bliss scenario +TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/ +cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/ + +# Generate a moon BLISS certificate with 192 bit security strength +TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" +TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der" +TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der" +CN="moon.strongswan.org" +SERIAL="03" +pki --gen --type bliss --size 4 > ${TEST_KEY} +pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \ + --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} +cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der + +# Put a copy in the ikev2/rw-ntru-bliss scenario +TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/ +cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/ + +# Put a copy in the swanctl/rw-ntru-bliss scenario +TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" +cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/ +cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/ diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages index 5116d095e5..23091234aa 100755 --- a/testing/scripts/build-guestimages +++ b/testing/scripts/build-guestimages @@ -65,8 +65,9 @@ do echo "/testresults /var/www/testresults 9p trans=virtio,version=9p2000.L 0 0" >> $LOOPDIR/etc/fstab execute_chroot "a2enmod -q cgid" 0 execute_chroot "a2enmod -q rewrite" 0 - execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0 - execute_chroot "/etc/openssl/generate-crl" 0 + execute_chroot "mkdir /var/www/certs" 0 + execute_chroot "mkdir /var/www/certs/research /var/www/certs/sales" 0 + execute_chroot "/etc/ca/generate-crl" 0 execute_chroot "rm -rf /var/lib/ldap/*" 0 execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0 execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0 diff --git a/testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf index 73e17062d2..8421527139 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf @@ -16,6 +16,6 @@ conn alice leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" rightsubnet=PH_IP_ALICE/32 auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf index 7140befe6c..953fa18ffa 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf @@ -16,6 +16,6 @@ conn venus leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 25716969f1..998fa3f8fc 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -22,12 +22,12 @@ conn alice leftsubnet=PH_IP_ALICE/32 right=PH_IP_CAROL rightid=carol@strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=PH_IP_DAVE rightid=dave@strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf index 96da6db1e4..43cbb47f63 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf @@ -13,7 +13,7 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf index bafec31f4c..0cef26c6c6 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf @@ -13,7 +13,7 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn venus rightsubnet=PH_IP_VENUS/32 diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index 7bae1ab0fd..f6224edfb0 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -21,11 +21,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf index 3df94ba2d5..09dfafce61 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -13,12 +13,12 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf index 28389112a5..8f1609e5ee 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -13,12 +13,12 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf index 2dfd40f99d..ec4585411a 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -21,11 +21,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem similarity index 100% rename from testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem rename to testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aaKey.pem similarity index 100% rename from testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem rename to testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aaKey.pem diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat index e5b8d291c6..43c69597c2 100644 --- a/testing/tests/ikev2/acert-cached/posttest.dat +++ b/testing/tests/ikev2/acert-cached/posttest.dat @@ -7,5 +7,5 @@ dave::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem moon::rm /etc/ipsec.d/acerts/dave-marketing.pem -moon::rm /etc/ipsec.d/private/aa.pem -moon::rm /etc/ipsec.d/aacerts/aa.pem +moon::rm /etc/ipsec.d/private/aaKey.pem +moon::rm /etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-cached/reissue.txt b/testing/tests/ikev2/acert-cached/reissue.txt deleted file mode 100644 index 6ab98f12ae..0000000000 --- a/testing/tests/ikev2/acert-cached/reissue.txt +++ /dev/null @@ -1,23 +0,0 @@ -# Carols acert for sales and finance -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \ - --group sales --group finance -l 87600 -f pem \ - > hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem - -# Daves acert for marketing -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \ - --group marketing -l 87600 -f pem \ - > hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem - -# Daves expired acert for sales -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \ - --group sales -F "01.01.13 08:00:00" -l 240 -f pem \ - > hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem similarity index 100% rename from testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem rename to testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aaKey.pem similarity index 100% rename from testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem rename to testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aaKey.pem diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat index 2ccb86a411..b90119c6be 100644 --- a/testing/tests/ikev2/acert-fallback/posttest.dat +++ b/testing/tests/ikev2/acert-fallback/posttest.dat @@ -4,5 +4,5 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush carol::rm /etc/ipsec.d/acerts/carol-sales.pem carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem -moon::rm /etc/ipsec.d/private/aa.pem -moon::rm /etc/ipsec.d/aacerts/aa.pem +moon::rm /etc/ipsec.d/private/aaKey.pem +moon::rm /etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-fallback/reissue.txt b/testing/tests/ikev2/acert-fallback/reissue.txt deleted file mode 100644 index 2e1cd68921..0000000000 --- a/testing/tests/ikev2/acert-fallback/reissue.txt +++ /dev/null @@ -1,15 +0,0 @@ -# Carols expired acert for finance -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \ - --group finance -F "01.01.13 08:00:00" -l 240 -f pem \ - > ./hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem - -# Carols valid acert for sales -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \ - --group sales -l 87600 -f pem \ - > hosts/carol/etc/ipsec.d/acerts/carol-sales.pem diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat index 1363354907..cf0e7be72c 100644 --- a/testing/tests/ikev2/acert-inline/evaltest.dat +++ b/testing/tests/ikev2/acert-inline/evaltest.dat @@ -3,9 +3,9 @@ dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.s moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES -carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES -dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES -dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES +carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES +dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES +dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Legacy AA\"::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert-expired.pem similarity index 100% rename from testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem rename to testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert-expired.pem diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem similarity index 100% rename from testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem rename to testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey-expired.pem similarity index 100% rename from testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem rename to testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey-expired.pem diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey.pem similarity index 100% rename from testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem rename to testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey.pem diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat index a0ef984409..bd2272b211 100644 --- a/testing/tests/ikev2/acert-inline/posttest.dat +++ b/testing/tests/ikev2/acert-inline/posttest.dat @@ -7,7 +7,7 @@ dave::iptables-restore < /etc/iptables.flush carol::rm /etc/ipsec.d/acerts/carol-sales.pem dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem dave::rm /etc/ipsec.d/acerts/dave-marketing.pem -moon::rm /etc/ipsec.d/private/aa-expired.pem -moon::rm /etc/ipsec.d/private/aa.pem -moon::rm /etc/ipsec.d/aacerts/aa-expired.pem -moon::rm /etc/ipsec.d/aacerts/aa.pem +moon::rm /etc/ipsec.d/private/aaKey-expired.pem +moon::rm /etc/ipsec.d/private/aaKey.pem +moon::rm /etc/ipsec.d/aacerts/aaCert-expired.pem +moon::rm /etc/ipsec.d/aacerts/aaCert.pem diff --git a/testing/tests/ikev2/acert-inline/reissue.txt b/testing/tests/ikev2/acert-inline/reissue.txt deleted file mode 100644 index 994fa0f601..0000000000 --- a/testing/tests/ikev2/acert-inline/reissue.txt +++ /dev/null @@ -1,23 +0,0 @@ -# Carols sales acert -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem --in \ - ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \ - --group sales -l 87600 -f pem \ - > hosts/carol/etc/ipsec.d/acerts/carol-sales.pem - -# Daves marketing acert -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \ - --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \ - --group marketing -l 87600 -f pem - > hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem - -# Daves sales acert from expired AA -pki --acert \ - --issuercert hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem \ - --issuerkey hosts/moon/etc/ipsec.d/private/aa-expired.pem \ - --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \ - --group sales -l 87600 -f pem \ - > hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf index c232c43326..25b05f7f03 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf @@ -16,7 +16,7 @@ conn %default left=%any leftcert=bobCert.pem -conn sun +conn sun right=PH_IP_SUN1 - rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" auto=route diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf index 17fcf0a7a2..c44c6bb392 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf @@ -18,10 +18,10 @@ conn %default conn alice right=PH_IP_ALICE - rightid="C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org" + rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org" auto=route -conn sun +conn sun right=PH_IP_SUN - rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" auto=route diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf index 69ba4205f7..1c9a7c4f0a 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf @@ -6,7 +6,7 @@ config setup ca strongswan cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" auto=add conn %default diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl similarity index 100% rename from testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl rename to testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf index 25656cbdab..57fb7dd1bc 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf @@ -6,7 +6,7 @@ config setup ca strongswan cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" auto=add conn %default diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl similarity index 100% rename from testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl rename to testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf index 95cd144ba2..fa67815e39 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default conn home left=PH_IP_CAROL - leftcert=carolRevokedCert.pem + leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem similarity index 100% rename from testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem rename to testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem similarity index 100% rename from testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem rename to testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets index 8e31be4cb5..fac55d63be 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolRevokedKey.pem +: RSA carolKey.pem diff --git a/testing/tests/ikev2/crl-revoked/posttest.dat b/testing/tests/ikev2/crl-revoked/posttest.dat index d742e8410f..c6d6235f9d 100644 --- a/testing/tests/ikev2/crl-revoked/posttest.dat +++ b/testing/tests/ikev2/crl-revoked/posttest.dat @@ -1,4 +1,2 @@ moon::ipsec stop carol::ipsec stop -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index fe6a55aaef..f7417da6d9 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,4 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf index 995b347cf4..9b28c50f5b 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" auto=add conn %default @@ -18,12 +18,12 @@ conn %default leftcert=carolCert.pem right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf index 320c0713ce..082c2f2b5d 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" auto=add conn %default @@ -18,12 +18,12 @@ conn %default leftcert=daveCert.pem right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf index e67c9afb0f..deae852d49 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -5,19 +5,19 @@ config setup ca strongswan cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList" auto=add -ca research +ca research cacert=researchCert.pem - crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList" auto=add - -ca sales + +ca sales cacert=salesCert.pem - crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList" + crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList" auto=add - + conn %default ikelifetime=60m keylife=20m @@ -32,11 +32,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf index 297e348ea4..e6bd872b02 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -17,5 +17,5 @@ conn home right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index a3517967a1..e2c8df2d6c 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -3,11 +3,6 @@ config setup strictcrlpolicy=yes -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - conn %default ikelifetime=60m keylife=20m @@ -21,5 +16,5 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf index 297e348ea4..e6bd872b02 100644 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf @@ -17,5 +17,5 @@ conn home right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf index fe69abe921..e2c8df2d6c 100644 --- a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf @@ -3,11 +3,6 @@ config setup strictcrlpolicy=yes -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/not-available.crl - auto=add - conn %default ikelifetime=60m keylife=20m @@ -21,5 +16,5 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf index d65d37be25..611f25995e 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -14,12 +14,12 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf index 121f7d41aa..abe0f3ad9a 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -14,12 +14,12 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf index a49c833b89..c58de462b3 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -22,11 +22,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf index 3a5aaa6b6c..a607a0dc86 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -2,11 +2,6 @@ config setup -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - conn %default ikelifetime=60m keylife=20m @@ -21,11 +16,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" auto=add diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf index 02280ac2f7..ea9e55c5fa 100644 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf @@ -3,5 +3,5 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1024 + fragment_size = 1088 } diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf index 02280ac2f7..ea9e55c5fa 100644 --- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf @@ -3,5 +3,5 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - fragment_size = 1024 + fragment_size = 1088 } diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf index bcc6d5b699..7c8346b02f 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf @@ -13,12 +13,12 @@ conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org - leftsigkey=moonPub.der + leftsigkey=moonPub.pem leftauth=pubkey leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org - rightsigkey=sunPub.der + rightsigkey=sunPub.pem rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem similarity index 100% rename from testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der rename to testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem similarity index 100% rename from testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der rename to testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der deleted file mode 100644 index 49e0111f28..0000000000 Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der and /dev/null differ diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index b9ec17dbcb..0000000000 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.der diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf index 4fe2e67de2..e94022fca6 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf @@ -13,10 +13,10 @@ conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftid=@sun.strongswan.org - leftsigkey=sunPub.der + leftsigkey=sunPub.pem leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - rightsigkey=moonPub.der + rightsigkey=moonPub.pem auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem similarity index 100% rename from testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der rename to testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem similarity index 100% rename from testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der rename to testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der deleted file mode 100644 index 7c284f9391..0000000000 Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der and /dev/null differ diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 6aa9ed5620..0000000000 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA sunKey.der diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi similarity index 94% rename from testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi rename to testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 4e2cc2860e..ea9be3d92f 100755 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -1,6 +1,6 @@ #!/bin/bash -cd /etc/openssl +cd /etc/ca echo "Content-type: application/ocsp-response" echo "" diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf index 630117af98..ba484eb5a6 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf @@ -31,11 +31,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" auto=add diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat index eedd737ac3..b660f2dcfb 100644 --- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat @@ -4,5 +4,7 @@ dave::ipsec start moon::expect-connection alice carol::expect-connection alice carol::ipsec up alice +carol::ipsec up venus dave::expect-connection venus dave::ipsec up venus +dave::ipsec up alice \ No newline at end of file diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi similarity index 93% rename from testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi rename to testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 429061376a..8c7b9cd136 100755 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -1,6 +1,6 @@ #!/bin/bash -cd /etc/openssl +cd /etc/ca echo "Content-type: application/ocsp-response" echo "" diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf index 94eb586218..17225d287c 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -15,7 +15,7 @@ conn %default rekeymargin=3m keyingtries=1 left=PH_IP_CAROL - leftcert=carolRevokedCert.pem + leftcert=carolCert.pem leftid=carol@strongswan.org conn home diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem similarity index 100% rename from testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem rename to testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem similarity index 100% rename from testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem rename to testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets index 8e31be4cb5..fac55d63be 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolRevokedKey.pem +: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-revoked/posttest.dat b/testing/tests/ikev2/ocsp-revoked/posttest.dat index d742e8410f..c6d6235f9d 100644 --- a/testing/tests/ikev2/ocsp-revoked/posttest.dat +++ b/testing/tests/ikev2/ocsp-revoked/posttest.dat @@ -1,4 +1,2 @@ moon::ipsec stop carol::ipsec stop -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf index a1bc9b0142..17225d287c 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf @@ -15,7 +15,7 @@ conn %default rekeymargin=3m keyingtries=1 left=PH_IP_CAROL - leftcert=carolCert-ocsp.pem + leftcert=carolCert.pem leftid=carol@strongswan.org conn home diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert.pem similarity index 100% rename from testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem rename to testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey.pem similarity index 100% rename from testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem rename to testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets index a89065443b..fac55d63be 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolKey-ocsp.pem +: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat index 220bc2c1d6..c6d6235f9d 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat @@ -1,4 +1,2 @@ moon::ipsec stop carol::ipsec stop -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf index 27af8e7a89..fa68b2a2c9 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf @@ -10,14 +10,14 @@ conn %default keyingtries=1 keyexchange=ikev2 left=PH_IP_CAROL - leftcert=carolCert-ifuri.pem + leftcert=carolCert.pem right=PH_IP_MOON rightid=@moon.strongswan.org conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert.pem similarity index 100% rename from testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem rename to testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf index aa07085f43..b007f527b7 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup strictcrlpolicy=ifuri - + conn %default ikelifetime=60m keylife=20m @@ -10,14 +10,14 @@ conn %default keyingtries=1 keyexchange=ikev2 left=PH_IP_DAVE - leftcert=daveCert-ifuri.pem + leftcert=daveCert.pem right=PH_IP_MOON rightid=@moon.strongswan.org conn alice rightsubnet=PH_IP_ALICE/32 auto=add - + conn venus rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert.pem similarity index 100% rename from testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem rename to testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert.pem diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf index 02db316d74..1ed94f98e3 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf @@ -16,11 +16,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA" auto=add diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf index 816db6e1e2..74d363fe14 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf @@ -8,7 +8,7 @@ ca strongswan-ca ocspuri1=http://bob.strongswan.org:8800 ocspuri2=http://ocsp.strongswan.org:8880 auto=add - + conn %default keyexchange=ikev2 ikelifetime=60m @@ -16,7 +16,7 @@ conn %default rekeymargin=3m keyingtries=1 left=PH_IP_CAROL - leftcert=carolCert-ocsp.pem + leftcert=carolCert.pem leftid=carol@strongswan.org conn home diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert.pem similarity index 100% rename from testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem rename to testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey.pem similarity index 100% rename from testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem rename to testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets index a89065443b..fac55d63be 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolKey-ocsp.pem +: RSA carolKey.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat index 220bc2c1d6..c6d6235f9d 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat @@ -1,4 +1,2 @@ moon::ipsec stop carol::ipsec stop -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi similarity index 93% rename from testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi rename to testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 72aa7a6c49..bce963fadd 100755 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -1,6 +1,6 @@ #!/bin/bash -cd /etc/openssl +cd /etc/ca echo "Content-type: application/ocsp-response" echo "" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat index 6b609f81d4..e1993fd43a 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES @@ -17,7 +17,7 @@ dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moo moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO +dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf index dd1b893028..5d99639bf6 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf @@ -15,7 +15,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf index a46071a3a9..93acb09056 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf @@ -15,7 +15,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat index f77c31c568..7cf9edd2f6 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf index dd1b893028..5d99639bf6 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf @@ -15,7 +15,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf index a46071a3a9..93acb09056 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf @@ -15,7 +15,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf index 944546ff83..f343e599db 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf @@ -18,5 +18,5 @@ conn home rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf index b1a22e78a1..aa4b9d2a63 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf @@ -18,5 +18,5 @@ conn home rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat index b2e3ce6207..2c1b69ed5f 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat @@ -1,8 +1,8 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 756e3835c6..c4f8c27ff9 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -13,7 +13,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat index b53b085f87..36c0544193 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat @@ -1,7 +1,7 @@ -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf index 6aaeb160fe..05702c4367 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf @@ -13,8 +13,8 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightsubnet=10.1.0.0/16 rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf index deadcff6d8..d82b0d5bfc 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf @@ -15,7 +15,7 @@ conn rw-eap leftcert=moonCert.pem leftauth=pubkey leftfirewall=yes - rightid="C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" + rightid="C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org" rightauth=eap-radius rightsendcert=never right=%any diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat index 2285608b8d..48aaf24aec 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf index 576d2cb998..9f093b71fd 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf @@ -13,7 +13,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf index ba52ec31eb..5f53072e46 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf @@ -13,7 +13,7 @@ conn home leftauth=eap leftfirewall=yes right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org" rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf index c18df1c73f..5013cfecf7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf @@ -16,5 +16,5 @@ conn home rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf index 2b58fbfca2..7e1a6e29e8 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -16,5 +16,5 @@ conn home rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/ikev2/rw-pkcs8/description.txt b/testing/tests/ikev2/rw-pkcs8/description.txt index d5d817f52e..84dd41480f 100644 --- a/testing/tests/ikev2/rw-pkcs8/description.txt +++ b/testing/tests/ikev2/rw-pkcs8/description.txt @@ -1,8 +1,8 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates and matching RSA private keys stored in the PKCS#8 format. moon's key is unencrypted, carol's key is encrypted with the default PKCS#5 v1.5 -DES algorithm and dave's key with the PKCS#5 v2.0 3DES algorithm. +DES algorithm and dave's key with the PKCS#5 v2.0 AES-128 algorithm.

Upon the successful establishment of the IPsec tunnels, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/strong-keys-certs/description.txt b/testing/tests/ikev2/strong-keys-certs/description.txt index fc12807291..0847159f47 100644 --- a/testing/tests/ikev2/strong-keys-certs/description.txt +++ b/testing/tests/ikev2/strong-keys-certs/description.txt @@ -1,7 +1,7 @@ This scenario is derived from ikev2/rw-cert. -The gateway moon uses a 2048 bit RSA private key protected by AES-128 +The gateway moon uses a 3072 bit RSA private key protected by AES-128 encryption whereas the roadwarriors carol and dave have an -AES-192 and AES-256 envelope, respectively. +AES-192 and AES-256 envelope, respectively. The X.509 certificate of the gateway moon uses a SHA-224 hash in its signature whereas the certificates of the roadwarriors carol and dave use SHA-384 and SHA-512, respectively. diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf index a8183f59e0..ce9e384133 100644 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf @@ -15,12 +15,12 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" + rightid="C=CH, O=strongSwan Project, OU=Research, CN=*" auto=add - + conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" + rightid="C=CH, O=strongSwan Project, OU=Accounting, CN=*" auto=add - + diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem similarity index 100% rename from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem rename to testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat index fa61f19fbf..91e34578f8 100644 --- a/testing/tests/swanctl/crl-to-cache/evaltest.dat +++ b/testing/tests/swanctl/crl-to-cache/evaltest.dat @@ -1,8 +1,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO -moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES carol::cat /var/log/daemon.log::certificate was revoked::YES carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem deleted file mode 100644 index d53365f787..0000000000 --- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD -FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU -zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO -/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 -C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 -+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E -BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd -VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv -bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy -FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp -cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM -POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t -xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U -dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW -8sFmiZI= ------END CERTIFICATE----- diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem deleted file mode 100644 index a10a18cba8..0000000000 --- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP -GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV -Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S -uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO -sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 -vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ -MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD -VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI -MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu -IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn -Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S -CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW -AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284 -RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh -M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg= ------END CERTIFICATE----- diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3a5aaa6b6c..0000000000 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf index 574887d7e8..8905ebe233 100755 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf @@ -11,11 +11,11 @@ connections { remote { auth = pubkey cacerts = researchCert.pem - revocation = ifuri + revocation = ifuri } children { alice { - local_ts = 10.1.0.10/32 + local_ts = 10.1.0.10/32 esp_proposals = aes128-sha256-ecp256 } } @@ -34,7 +34,7 @@ connections { remote { auth = pubkey cacerts = salesCert.pem - revocation = ifuri + revocation = ifuri } children { venus { @@ -46,11 +46,3 @@ connections { proposals = aes128-sha256-ecp256 } } - -authorities { - - strongswan { - cacert = strongswanCert.pem - crl_uris = http://crl.strongswan.org/strongswan.crl - } -} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf index 73bb5f6b32..f93e30fcd1 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey } charon-systemd { diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf index 73bb5f6b32..f93e30fcd1 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey } charon-systemd { diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3a5aaa6b6c..0000000000 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://crl.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" - auto=add diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat index 20ec1561e6..247aabe179 100644 --- a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat +++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES @@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongs moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf index db82791b81..c4e478475c 100755 --- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-peap - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf index 7f3b8104b3..b71866726a 100755 --- a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-peap - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat index dc56ba850d..1093e51ada 100644 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES @@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongs moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf index db82791b81..c4e478475c 100755 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-peap - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf index 7f3b8104b3..b71866726a 100755 --- a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-peap - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf index 7ffdd1f4ce..54849aeecd 100755 --- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -7,7 +7,7 @@ connections { local { auth = eap id = carol@strongswan.org - aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" } remote { auth = pubkey diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf index 97c0b7057d..da69a515d0 100755 --- a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -7,7 +7,7 @@ connections { local { auth = eap id = dave@strongswan.org - aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" } remote { auth = pubkey diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat index 52dc51a629..48a706d9d6 100644 --- a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat @@ -1,10 +1,10 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf index cc3e770954..f556f8eba0 100755 --- a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-tls - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat index e3b7cf39ab..46d88143c4 100644 --- a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat @@ -1,9 +1,9 @@ -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf index 58786ba876..d8212a4358 100755 --- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -7,11 +7,11 @@ connections { local { auth = eap certs = carolCert.pem - aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" } remote { auth = pubkey - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf index ebe5ffab7d..afed192d2f 100755 --- a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -9,7 +9,7 @@ connections { } remote { auth = eap-radius - id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" + id = "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org" } children { net { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf index cae0025f6f..e426bda2c2 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey } charon-systemd { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf index cae0025f6f..e426bda2c2 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey } charon-systemd { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf index 9c4e819c50..3b2845dcd8 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey } charon-systemd { diff --git a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat index 00282ab2b9..46d6be42a7 100644 --- a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat +++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat @@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES @@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongs moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf index 184aaa5d3e..96c30e3403 100755 --- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-ttls - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf index a77bd0079e..64b711db44 100755 --- a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf @@ -10,7 +10,7 @@ connections { } remote { auth = eap-ttls - id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" } children { home { diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf index 7ffdd1f4ce..54849aeecd 100755 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -7,7 +7,7 @@ connections { local { auth = eap id = carol@strongswan.org - aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" } remote { auth = pubkey diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf index 97c0b7057d..da69a515d0 100755 --- a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -7,7 +7,7 @@ connections { local { auth = eap id = dave@strongswan.org - aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" } remote { auth = pubkey diff --git a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat index b2958919a3..dc9abe5570 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat @@ -1,9 +1,9 @@ alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.100 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.200 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf index f1a074fed6..a322ca17f2 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf @@ -2,7 +2,7 @@ connections { home { local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 + remote_addrs = 192.168.0.1 local { auth = pubkey @@ -10,11 +10,11 @@ connections { } remote { auth = pubkey - pubkeys = moonPub.pem + pubkeys = moonPub.pem } children { home { - remote_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes128gcm128-ecp256 @@ -24,11 +24,3 @@ connections { proposals = aes128-sha256-ecp256 } } - -secrets { - - rsa-carol { - file = carolKey.pem - secret = "nH5ZQEWtku0RJEZ6" - } -} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat index 2dfc3cf416..1b172ee67e 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat @@ -1,9 +1,9 @@ alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.100 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.200 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem deleted file mode 100644 index 1454ec54c2..0000000000 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F - -1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b -/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ -/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o -Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ -f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 -LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv -06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC -e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr -3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC -sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily -c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy -UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h -XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T -iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO -Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO -v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO -t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H -8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA -jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p -p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS -7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk -GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ -4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 -yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd -+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC ------END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf index f1a074fed6..a322ca17f2 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf @@ -2,7 +2,7 @@ connections { home { local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 + remote_addrs = 192.168.0.1 local { auth = pubkey @@ -10,11 +10,11 @@ connections { } remote { auth = pubkey - pubkeys = moonPub.pem + pubkeys = moonPub.pem } children { home { - remote_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes128gcm128-ecp256 @@ -24,11 +24,3 @@ connections { proposals = aes128-sha256-ecp256 } } - -secrets { - - rsa-carol { - file = carolKey.pem - secret = "nH5ZQEWtku0RJEZ6" - } -} diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat index a327dae633..d5d6fa5831 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat @@ -5,10 +5,10 @@ carol::cat /var/log/auth.log::received SASL Success result::YES carol::cat /var/log/auth.log::collected ... SW ID events::YES carol::cat /var/log/auth.log::collected 3 SW records::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES -alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org::YES alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES -alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index bded669dad..2e40603fde 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -5,10 +5,10 @@ carol::cat /var/log/auth.log::collected ... SW ID records::YES carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES carol::cat /var/log/auth.log::collected 1 SW record::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES -alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org::YES alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES -alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index bed92fc386..3cf7e6bd54 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -5,13 +5,13 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES