From 93bce6c1aaec9e92df13a94b83bb171e0deb494a Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 30 Jan 2015 16:32:04 +0100 Subject: [PATCH] testing: Add a simple CGA host-to-host transport mode test case --- testing/tests/ipv6/cga/description.txt | 7 ++++++ testing/tests/ipv6/cga/evaltest.dat | 7 ++++++ .../tests/ipv6/cga/hosts/moon/etc/ipsec.conf | 17 ++++++++++++++ .../cga/hosts/moon/etc/ipsec.d/certs/moon.cga | Bin 0 -> 319 bytes .../ipv6/cga/hosts/moon/etc/strongswan.conf | 13 +++++++++++ .../tests/ipv6/cga/hosts/sun/etc/ipsec.conf | 17 ++++++++++++++ .../cga/hosts/sun/etc/ipsec.d/certs/sun.cga | Bin 0 -> 319 bytes .../ipv6/cga/hosts/sun/etc/strongswan.conf | 13 +++++++++++ testing/tests/ipv6/cga/posttest.dat | 4 ++++ testing/tests/ipv6/cga/pretest.dat | 7 ++++++ testing/tests/ipv6/cga/test.conf | 21 ++++++++++++++++++ 11 files changed, 106 insertions(+) create mode 100644 testing/tests/ipv6/cga/description.txt create mode 100644 testing/tests/ipv6/cga/evaltest.dat create mode 100644 testing/tests/ipv6/cga/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/cga/hosts/moon/etc/ipsec.d/certs/moon.cga create mode 100644 testing/tests/ipv6/cga/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/cga/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/cga/hosts/sun/etc/ipsec.d/certs/sun.cga create mode 100644 testing/tests/ipv6/cga/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6/cga/posttest.dat create mode 100644 testing/tests/ipv6/cga/pretest.dat create mode 100644 testing/tests/ipv6/cga/test.conf diff --git a/testing/tests/ipv6/cga/description.txt b/testing/tests/ipv6/cga/description.txt new file mode 100644 index 0000000000..575a33f4aa --- /dev/null +++ b/testing/tests/ipv6/cga/description.txt @@ -0,0 +1,7 @@ +An IPv6 ESP transport connection between the hosts moon and sun is +set up using Cryptographically Generated Addresses (RFC 3972). Both peers send +the RSA based CGA parameters in certificate payloads to authenticate each other. +

+

To establish trust in CGA addresses, the CGA plugin trust option is +set in strongswan.conf. To recognize the private use CGA parameters +certificate exchange, the peers exchange strongSwan vendor ID payloads. diff --git a/testing/tests/ipv6/cga/evaltest.dat b/testing/tests/ipv6/cga/evaltest.dat new file mode 100644 index 0000000000..77d20f60db --- /dev/null +++ b/testing/tests/ipv6/cga/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::host-host.*ESTABLISHED::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::host-host.*INSTALLED::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED::YES +moon::ping6 -c 1 fec0:\:3c93:f0e5:6eb8:8cf5::64 bytes from fec0:\:3c93:f0e5:6eb8:8cf5: icmp_seq=1::YES +sun::tcpdump::IP6 fec0:\:208a:4d90:2951:1c97 > fec0:\:3c93:f0e5:6eb8:8cf5: ESP::YES +sun::tcpdump::IP6 fec0:\:3c93:f0e5:6eb8:8cf5 > fec0:\:208a:4d90:2951:1c97: ESP::YES diff --git a/testing/tests/ipv6/cga/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/cga/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..20aefc05c4 --- /dev/null +++ b/testing/tests/ipv6/cga/hosts/moon/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + leftcert=cga:moon.cga + left=fec0::208a:4d90:2951:1c97 + right=fec0::3c93:f0e5:6eb8:8cf5 + type=transport + auto=add diff --git a/testing/tests/ipv6/cga/hosts/moon/etc/ipsec.d/certs/moon.cga b/testing/tests/ipv6/cga/hosts/moon/etc/ipsec.d/certs/moon.cga new file mode 100644 index 0000000000000000000000000000000000000000..b7b2c5b4a245af3e20b944cd84b4b5ef8882979a GIT binary patch literal 319 zc-jF!0l@yVxyjpXuKJddZl26Lw;5XgzyJUM00000FoFRhFbxI?Duzgg_YDC70R;d9 zf&mWzFoFRJ0)hbn0Hk~c`o$MP(f(ToGj#JaraQ2NVXqzwCIzTWn$m<;)HG_74(1sug=T#kS}YVgdBh(P|Jq#XtPza3L+FGWzQ1Y zVlV-133H()o`P@oK860(L-+2nyuw?+a^lh+!BFpQ1yaw;y_k4oL1Un(Z-A>h;Z7$Y z0(&xhi`&`xe9nG#>ASj%&^Q=B`SzKk#3W%Ny)kZ{LPP#yd=2L^Ei@c*8v>7Qb?_4| ze`=#veiT^nfd=SuV6Jem1i{n;UIN)gegXc%%ZH7eElis3)0svb7IznDS@iR|@)bvH RhFOoKf$@Gjp8^8`00A7ajw%2E literal 0 Hc-jL100001 diff --git a/testing/tests/ipv6/cga/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/cga/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..d9abb109b1 --- /dev/null +++ b/testing/tests/ipv6/cga/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga stroke kernel-netlink socket-default updown + + send_vendor_id = yes + + plugins { + cga { + trust = yes + } + } +} diff --git a/testing/tests/ipv6/cga/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/cga/hosts/sun/etc/ipsec.conf new file mode 100644 index 0000000000..11703ada5e --- /dev/null +++ b/testing/tests/ipv6/cga/hosts/sun/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + leftcert=cga:sun.cga + left=fec0::3c93:f0e5:6eb8:8cf5 + right=fec0::208a:4d90:2951:1c97 + type=transport + auto=add diff --git a/testing/tests/ipv6/cga/hosts/sun/etc/ipsec.d/certs/sun.cga b/testing/tests/ipv6/cga/hosts/sun/etc/ipsec.d/certs/sun.cga new file mode 100644 index 0000000000000000000000000000000000000000..eb87915f5ef095c79598cb00db3cef30ecbbadd3 GIT binary patch literal 319 zc-jF!0l@wgk47Q=&`TkVY|?Vdi(4Tv7{!$y)8GRIBK- z6sYC!6}~l9Lr*;(*vPXTfk*u+Ee~a9XH>OBr}j!AjZSK&OHO>BSGhDJ_0V5ymgzvk zXe~fM8Dq>x>knuYaBqGTx?AR;?1*JDh7!U0b2S*#=VtOH3YtUvOLxRVJn!eA}En8!p%3>2IMIzL$xL^`?r{SRY7No&hazR)ODVULmDZzUW6 RWNLx`tRA@~Ap!#d00C}|h-v@; literal 0 Hc-jL100001 diff --git a/testing/tests/ipv6/cga/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/cga/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..d9abb109b1 --- /dev/null +++ b/testing/tests/ipv6/cga/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga stroke kernel-netlink socket-default updown + + send_vendor_id = yes + + plugins { + cga { + trust = yes + } + } +} diff --git a/testing/tests/ipv6/cga/posttest.dat b/testing/tests/ipv6/cga/posttest.dat new file mode 100644 index 0000000000..3f39235217 --- /dev/null +++ b/testing/tests/ipv6/cga/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::"ip addr del fec0:\:208a:4d90:2951:1c97 dev eth0" +sun::"ip addr del fec0:\:3c93:f0e5:6eb8:8cf5 dev eth0" diff --git a/testing/tests/ipv6/cga/pretest.dat b/testing/tests/ipv6/cga/pretest.dat new file mode 100644 index 0000000000..95d3bcb293 --- /dev/null +++ b/testing/tests/ipv6/cga/pretest.dat @@ -0,0 +1,7 @@ +moon::"ip addr add fec0:\:208a:4d90:2951:1c97 dev eth0" +sun::"ip addr add fec0:\:3c93:f0e5:6eb8:8cf5 dev eth0" +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6/cga/test.conf b/testing/tests/ipv6/cga/test.conf new file mode 100644 index 0000000000..0133bf66a3 --- /dev/null +++ b/testing/tests/ipv6/cga/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" -- 2.47.2