From: Andreas Steffen Date: Fri, 9 Dec 2016 09:14:42 +0000 (+0100) Subject: Added swanctl/net2net-ed2559 scenario and needed Ed25519 certificates X-Git-Tag: 5.5.2dr3~4^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94ae1ac18e621a48ab1823447cf0bb6df29093e9;p=thirdparty%2Fstrongswan.git Added swanctl/net2net-ed2559 scenario and needed Ed25519 certificates --- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem new file mode 100644 index 0000000000..132b5d57a3 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4jCCAZSgAwIBAgIBAzAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDExWhcNMjExMjA0MjI0MDExWjBbMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzAqMAUGAytlcAMh +APtwTFkrXyLYOWm9zlNm+ASZ3LzmpWmB2OwqnWZlFIXVo4GIMIGFMB8GA1UdIwQY +MBaAFCNOkpAKSIb2BV3+ead2AzqOcNj4MB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9u +Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh +bi5vcmcvc3Ryb25nc3dhbl9lZDI1NTE5LmNybDAFBgMrZXADQQAC5ukfb9FmxhM5 +ynVSrYUvCfii+zD7SjA+kFabRZ6tgoTWBBUONT31dwLpD0Aqe0z7SWLTXpeVVAl4 +JbhZsPUD +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem new file mode 100644 index 0000000000..18f0e088c2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAZKgAwIBAgIBBDAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjIzODQwWhcNMjExMjA0MjIzODQwWjBaMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRwwGgYDVQQDDBNkYXZlQHN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA +fYCNzyBpr3lne+kVB27q7O7TvMkERDB9kRnzNSx30hijgYcwgYQwHwYDVR0jBBgw +FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmwwBQYDK2VwA0EAEG4SjQX49xhuMiyn +86uOCxDWy08KUQRBLoqan+cPfYDPgCbblpbmJOoCBtcUyzEYQ+L/gCQzwLAUZSbK +MEj7Dg== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem new file mode 100644 index 0000000000..e67b224b6a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA +4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw +FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww +BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX +8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem new file mode 100644 index 0000000000..70af020176 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn +HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW +gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh +bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0 +cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG +AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq +8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem new file mode 100644 index 0000000000..5c3e2623d1 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIJk9u+XHU+E8YNCuj/bTDVRHbWDk2NzCyrTFqtzWRAv8 +-----END PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem new file mode 100644 index 0000000000..bf84ef3dd6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIF17ReOyn64y7tmC11XyYzcALKmu9lkS0VnWSd0l54FX +-----END PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem new file mode 100644 index 0000000000..491d36430d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk +-----END PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem new file mode 100644 index 0000000000..b83f62c13c --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0 +-----END PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl new file mode 100644 index 0000000000..b0320ad25f Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl differ diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem new file mode 100644 index 0000000000..9c5a06945b --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem new file mode 100644 index 0000000000..ae82fb9c0b --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIHb+63Ppcfc9m/E9EyoojCDUz6KcUmwTquU7sgpmctz0 +-----END PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index 1a375e0512..1c62d643d0 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -63,3 +63,6 @@ cp strongswan_bliss.crl ${ROOT} cd /etc/openssl/sha3-rsa pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --digest sha3_256 > strongswan-sha3-rsa.crl cp strongswan-sha3-rsa.crl ${ROOT} +cd /etc/openssl/ed25519 +pki --signcrl --cacert strongswan_ed25519Cert.pem --cakey strongswan_ed25519Key.pem --lifetime 30 > strongswan_ed25519.crl +cp strongswan_ed25519.crl ${ROOT} diff --git a/testing/hosts/winnetou/etc/strongswan.conf b/testing/hosts/winnetou/etc/strongswan.conf index dfb9dbc5b2..a69df79abd 100644 --- a/testing/hosts/winnetou/etc/strongswan.conf +++ b/testing/hosts/winnetou/etc/strongswan.conf @@ -1,5 +1,5 @@ # strongswan.conf - strongSwan configuration file pki { - load = random pem sha1 sha2 sha3 pkcs1 pem gmp mgf1 bliss x509 + load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509 } diff --git a/testing/tests/swanctl/net2net-ed25519/description.txt b/testing/tests/swanctl/net2net-ed25519/description.txt new file mode 100755 index 0000000000..07839e0ae2 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates containing Ed25519 keys. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-ed25519/evaltest.dat b/testing/tests/swanctl/net2net-ed25519/evaltest.dat new file mode 100755 index 0000000000..ebbb8ae753 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/evaltest.dat @@ -0,0 +1,7 @@ +moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..d766a705c4 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem new file mode 100644 index 0000000000..491d36430d --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk +-----END PRIVATE KEY----- diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7f188e1c9c --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-curve25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-curve25519 + } +} diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 0000000000..e67b224b6a --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA +4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw +FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww +BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX +8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 0000000000..9c5a06945b --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf new file mode 100755 index 0000000000..d766a705c4 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem new file mode 100644 index 0000000000..b83f62c13c --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0 +-----END PRIVATE KEY----- diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..d784bbd768 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-curve25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-curve25519 + } +} diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 0000000000..70af020176 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn +HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW +gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh +bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0 +cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG +AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq +8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 0000000000..9c5a06945b --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat new file mode 100755 index 0000000000..8d47767a0a --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs8/* +sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat new file mode 100755 index 0000000000..f939b3ac42 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/pretest.dat @@ -0,0 +1,9 @@ +moon::rm /etc/swanctl/rsa/moonKey.pem +sun::rm /etc/swanctl/rsa/sunKey.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-ed25519/test.conf b/testing/tests/swanctl/net2net-ed25519/test.conf new file mode 100755 index 0000000000..07a3b247a1 --- /dev/null +++ b/testing/tests/swanctl/net2net-ed25519/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1