From: Tobias Brunner Date: Thu, 16 Jul 2015 10:53:18 +0000 (+0200) Subject: testing: Add ikev2/trap-any scenario X-Git-Tag: 5.3.3rc1~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb1d9e454d911a14cd93b77e61037a71820b6d35;p=thirdparty%2Fstrongswan.git testing: Add ikev2/trap-any scenario --- diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2/trap-any/description.txt new file mode 100644 index 0000000000..81e1482592 --- /dev/null +++ b/testing/tests/ikev2/trap-any/description.txt @@ -0,0 +1,7 @@ +The hosts moon, sun and dave install transport-mode trap +policies with right=%any. The remote host is dynamically determined based on +the acquires received from the kernel. Host dave additionally limits the remote +hosts to moon and sun with rightsubnet. This is tested by +pinging sun and carol from moon, carol from sun, and +sun and moon from dave. The latter also pings carol, which +is not going to be encrypted as carol is not part of the configured rightsubnet. diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat new file mode 100644 index 0000000000..bcba9ef08b --- /dev/null +++ b/testing/tests/ikev2/trap-any/evaltest.dat @@ -0,0 +1,33 @@ +moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES +dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES +moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES +moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES +moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES +sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES +sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES +sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES +dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES +dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES +carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES +carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES +carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO +moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES +dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES +carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES +sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES +carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES +carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf new file mode 100644 index 0000000000..a2d62296f2 --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf @@ -0,0 +1,16 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn trap-any + right=%any + type=transport + authby=psk + auto=add diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets new file mode 100644 index 0000000000..34647bc0bf --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets @@ -0,0 +1 @@ +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..8e685c862a --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf new file mode 100644 index 0000000000..3c7adfbf93 --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn trap-any + right=%any + rightsubnet=192.168.0.0/30 + type=transport + authby=psk + auto=route + diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets new file mode 100644 index 0000000000..34647bc0bf --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets @@ -0,0 +1 @@ +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..8e685c862a --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..409bee2cbf --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +# to access the host via SSH in the test environment +conn pass-ssh + authby=never + leftsubnet=0.0.0.0/0[tcp/22] + rightsubnet=0.0.0.0/0[tcp] + type=pass + auto=route + +conn trap-any + right=%any + type=transport + authby=psk + auto=route diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets new file mode 100644 index 0000000000..34647bc0bf --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets @@ -0,0 +1 @@ +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..8e685c862a --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf new file mode 100644 index 0000000000..71edc4c14e --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +# to access the host via SSH in the test environment +conn pass-ssh + authby=never + leftsubnet=0.0.0.0/0[tcp/22] + rightsubnet=0.0.0.0/0[tcp] + type=pass + auto=route + +conn trap-any + right=%any + type=transport + authby=psk + auto=route + diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets new file mode 100644 index 0000000000..34647bc0bf --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets @@ -0,0 +1 @@ +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..8e685c862a --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2/trap-any/posttest.dat new file mode 100644 index 0000000000..1bf206e26f --- /dev/null +++ b/testing/tests/ikev2/trap-any/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2/trap-any/pretest.dat new file mode 100644 index 0000000000..0924078b35 --- /dev/null +++ b/testing/tests/ikev2/trap-any/pretest.dat @@ -0,0 +1,5 @@ +moon::ipsec start +sun::ipsec start +carol::ipsec start +dave::ipsec start +moon::sleep 1 diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2/trap-any/test.conf new file mode 100644 index 0000000000..742bf02bd2 --- /dev/null +++ b/testing/tests/ikev2/trap-any/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun carol dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun carol dave"