From c1a1f9f548fb475b5a95ba8cf4a68c071bb081c7 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Wed, 10 Aug 2016 15:14:26 +0200 Subject: [PATCH] testing: Added swanctl/rw-newhope-bliss scenario --- .../swanctl/rw-newhope-bliss/description.txt | 14 +++++++ .../swanctl/rw-newhope-bliss/evaltest.dat | 10 +++++ .../hosts/carol/etc/strongswan.conf | 17 +++++++++ .../carol/etc/swanctl/bliss/carolKey.der | Bin 0 -> 1182 bytes .../hosts/carol/etc/swanctl/swanctl.conf | 36 ++++++++++++++++++ .../carol/etc/swanctl/x509/carolCert.der | Bin 0 -> 2175 bytes .../swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes .../hosts/dave/etc/strongswan.conf | 17 +++++++++ .../hosts/dave/etc/swanctl/bliss/daveKey.der | Bin 0 -> 1310 bytes .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++++++++++++++ .../hosts/dave/etc/swanctl/x509/daveCert.der | Bin 0 -> 2179 bytes .../swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes .../hosts/moon/etc/strongswan.conf | 17 +++++++++ .../hosts/moon/etc/swanctl/bliss/moonKey.der | Bin 0 -> 1310 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 26 +++++++++++++ .../hosts/moon/etc/swanctl/x509/moonCert.der | Bin 0 -> 2200 bytes .../swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes .../swanctl/rw-newhope-bliss/posttest.dat | 8 ++++ .../swanctl/rw-newhope-bliss/pretest.dat | 14 +++++++ .../tests/swanctl/rw-newhope-bliss/test.conf | 25 ++++++++++++ 20 files changed, 212 insertions(+) create mode 100755 testing/tests/swanctl/rw-newhope-bliss/description.txt create mode 100755 testing/tests/swanctl/rw-newhope-bliss/evaltest.dat create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der create mode 100644 testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100755 testing/tests/swanctl/rw-newhope-bliss/posttest.dat create mode 100755 testing/tests/swanctl/rw-newhope-bliss/pretest.dat create mode 100755 testing/tests/swanctl/rw-newhope-bliss/test.conf diff --git a/testing/tests/swanctl/rw-newhope-bliss/description.txt b/testing/tests/swanctl/rw-newhope-bliss/description.txt new file mode 100755 index 0000000000..0a7f2489cf --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/description.txt @@ -0,0 +1,14 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm +with a cryptographical strength of 128 bits. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +carol, dave and moon, respectively. +

+Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously +increasing order. +

+leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat new file mode 100755 index 0000000000..bcf614335d --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..046773fb2d --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der new file mode 100644 index 0000000000000000000000000000000000000000..b2831a8ed469a917aa161d3c2852d028f4e77e54 GIT binary patch literal 1182 zc-jG;1Y!Fyf&`id3o8Zz1ObAeDg^=o1A+sA07tCvmAhSLzQ#RB-&;K_U@mt1lah<= z7A2(P89*4J3ClT%dIFFg=lM;V?24WNwwMssR_JQvz1sN~ zIl_>;)JWJrA1w`tJk$lFcdjkbXyz^ssel?(p^ENMe(8v8Yy-c=ZHW+R1Zu`y>Of(4 zPvPTd`cq$HSvTcJ=>;dL%FvVqL`OVSBdNk(t@81E@m3B4!f6mcjmDwqaB?( zw+d&>u5cDYyWKN-8 zCLpcc%PcQHg9VF0_12qg{@yhUf$%~2Um~{#P<$;>I&)!8eHhs!+<@wqopLjq;@7N> z;Q^nnEjLng!P?Q(p=viKo?^8SB_un?4zmulFL1VEh@qK{WB1!>y@4ZS^VOFW9C0Qf ztsuINtAeqRPrkIAIi4F~O{{46*M=JsFk@2Q$m{`ezG^{>h^DpX88iV4Jxv-%u7f77 z)menRO=6yeV}j7Y2Du(KFg`8eccDOtSDaP6ykgrQinJ4zI~-B|qW< zm|Rz6_EovUgC!zxVPNfoQFZ7k%h zdHCl~VEC}vA*ymcI9J7X1|4~TWJFOppsl?a6;r50qZamMzeD0k>PWeFlAPn zl2fiVCi<%JibnW(%|W+l=|A@)AR0WRDFn5I86T@`rGA$g-s6Ul@))M92A zIx;{onqwa#en@}Mp^97{=yn}wSpahSlpZ-I{zIznl?9TTT~@`$kOP5%0005p0002Y z006`Q0|3kr5EMW&5COo$@BkeX00RUN0dogH0Wbp)05k*y!0-hy7sCX>01ylS5CH%X z05HRFbU*+wRMcDmGXnr~P!tD1%)mt-F~9%=00aOG05CiO001yR000mi05Ai<07L)) z1H}ZvG&2AI#0(D|06+mT`~!i30MGys00Rd^F${B53{1dJ0K@=53i zA3*>^0RI3G8~_vy08hX$&_GN;006*1Fb^>Y0RRwO%s>D!0}ucJ09OD6JU|3M!2|$A wKmY_&!wdvK6ac`$KnDN-3_ZXDK*I$A1VIb|Ffb7SGywn%1OsqD01N=bFmb=)-2eap literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5bffca662f --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.der + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-newhope128 + } + } + version = 2 + proposals = aes256-sha256-newhope128 + fragmentation = yes + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der new file mode 100644 index 0000000000000000000000000000000000000000..8a520c0b4e5cedeefd6c775637615623bbea39b5 GIT binary patch literal 2175 zc-obedpy&N8^`TpNVHrx8k04Y%h&yqnM>~QdG<>rPHEQr%r$T`n`U?f6kwu*XRAbKF{;V^8vCYGl6Vzl^O^b1O`j$ zS9Uj#ICgpfTVT?=U?3g|mtCM2Yw9qa%#Wf?Zfj;=HxFa?WmhU+9J48L&y?(D)Nz3c_$gD z#i&J&l1<(^X@g3jg8U>3%etqfx{<;nr80^3l{ail_OrJ*D7Uz`@ERUeWhMzkC|cf3$~LNj<>;P z8sv!8xWiyJ>dhxY*&?F~bfpwN<~v83y)p4g*|MMAEpT~^SJ#uFTMNW%)7tbNM!(jV zLD1{#+v<*x1crim>_YNTin7?wK7uVw59WI9Maklo+ z`F~?SgcfxmIb`Q#4 zmhCV|yb@05o@0_eK8?9S(~NjOdRAdu(zg`!wZi7?cD6@PM}=jTY8as8jRxdiCxln!lCp>UU{}@502{p*XnU&a3G z*TbKxGdkqCY35;dfqSB$uEi)ccXnJzyias+3l-IEioVnk*$}Osm-cQGtvaYSt1@l4 zE9}!=w1IOI@>!mBltd4Fp|pgy1OF0S8sr!8N{6ZwU(RnB&r-W*{H|+}BYSQ>V_SHL z+7;Y5%m-^x*-U}l-042$s@QxnPItB?L-fWYRP^f;jV3D2!fzlIhRVpA;r6-<=@WNq zI6>q@`&k5N0g!jPOr0xwkz4{q`j&CL+f1?RO{)wiQO13{uIPFEM@_Vfb)62hGZ(4O zo33#TK4wWBeGOGKMuV0!nZF-)y0S&IvXblWD}Skwj>>qABb}0N(-rk?h=DwMr{qdc zFdju9`J=I?tCIPxYd0=3+1KCwQp^QcwfrTlQDWg;Z%Od6Fcg%aSth=MRBU{EGqNLX zY$k%Jy=dxLsgY4jkiU~_AqbCBwlcB>%1G+lkGULwz-0uf&84EE1H`E7#cGz=FAh!1 zXT&*W2Ym{?nLK+E~3NKl$k1fZ0qFh`>K?ma}-fgUvH*_LL^kLA8_`2lSG4$%Jp zv*W)5>QD>73^1uNssZx!qf=56tqcrE)L8xhW)1!$L&9TYl9TnnG5=GA-|E3dY-sS$ z;GW%kbUyHlHprZD9)5N{Ep)QyDP=tB-XSSq1Z|Pd^S8Md*BTQq*SztZxi+U9&L|7QoD3)k1P5LSH64nR^8BeU$x&Iv|KNH^I+56Y%?CsIW%`- zzr?P5Y=_IEqbpil+jsU>qSbd5)(_VW;d)L4H;vGb%DA~M+a^M`U5abv-u`XPfB&N8 zdAC8WtFl-13SvEnz`7BltY6o}R0AB!Hy1(kEpM-sVj%V!yM6clhH~}QX_H!|uTKk7y=N7Do{V^D zAAH41ie?;+@!0N?&aMcf8_9MvhaAWGp%!8#@aJr;#!dcuCJq$%&tR?7-NpkFUghU08>ko9>8^Y$W>kr)xH zbIgg>H7Z-*S{w+&nLXUurSgnTB*b5Q(5saf^1jj&Ds^7isfJ}|UoJ#I$O@9epL5HP4(28*%A%P2$WcOSQ*x9m zmFQ7FJheQ|Us05frJpDN^?E)3K7V~*@6YFt@9X==_l-@5YGczO!&P7q5Cnokls1$d zC~G3DoVb*+I1mC%uQCz?1H}MXcbpU!CJv@T#1SAz7n}-Kc^4!R@I+QZY)m92DI`YI zD8>5E$|jNf;k><6`&-8{~iC| z>(as1SoCiv0fD~(2ntRIa{#>wnbd#}jSx!&H5Pds*;*O>H|eFtv7C#Ve_YdiVVDMD zPIu6DTue2-T~MB5E2%0r!uMJ91Wal$`Cn}Q3NtpBR66!N75=)jf2KarW#p6sW=aT; z`?ivqeV~E%r*OfzJQ1(;h(^`DE*9WG%?``|sJd9QL@xpWs(jHKtnc*50AxX|;xVz? zCaen%Vt1~2$@R4A>6r5x^ZeDdf@gJU@Q&5fAJ~v5o^g)`gBt!BR^j_`iQR;k59aP1 zRp9iv=|_nHA8p-g0CmDO%Lm2M3RGA`?tK(3$ju^ z-7s6%>vifv9zT!DngBY^TB>grz`2-0f8-Xw#BZq5s=0JV4#rUU{CFLhV^=4`IB0|{ zyuU|m%Cl0XM5b|+Inm7!y?iL^gi&mxK5+Y&*#v1HAo`1-ivc!?|KaMUTgSULiL2bS>heif3$Y4vS8lW_K@e<5-vLqW zu-7HpS1v16!&H_h-I(Gfj__tr9p3w^4N`-0s%I+pg_BVL#grpr)vp7`3IYX-5><>; z6-%-r(O>2^@al1o3D>RUfm^9Xo$bs8D#qY3<(X<6eMOsD@vPQLe$;K83n)T0_$C*e zB=l8W#4qOK^V>?=N_W)qj{tjXoS&Sbj6Y^bh9eP}*#Z&7NL*ni_5sj-6)rId zyR2T=(gwCN&s!t-$DYee5A)^{?@ULyoXVA9^NUvPT)s>Uz)nS^$t70u>bw83_BCv_xCF`G1a!&2qw{)~?bunU(zNrdiIU%IVI?a*A8}$Atvr?8qKx zWc8C0T3B2hskce1JVfuPqt}N*1$dyj3`f-m16Y@Tkp)Zn+$6K18e*sS>4`K3_fdfr zRMXMB)$F!%xP$*$o?ABQlTyi-mJG9wzw!80Q1Csydh6ha=QWK zm!ib6YP&28K|zo!p&UQA=tx6Iki~WT(&W|Y%(pK8wxO$6-E(V#Neh^({fH0SnP zt@<@@Dy0rcV(sDa9e@{h2A?>ntec#K`PvZ48o{`!Cq)P2_g2_nYUK^nwAvrI4`0*$ zX2TUUNw_Bw3g8-tQ_2iU(A>;Ri)QQFeQJ-cx<3z@PBJ7%`0D!@-_04li1AFFnwgV= zG|MwY!A;T=Mm&I#E0yk2WH!XB(K&=!9*UyeXL&e#NLZ~N{85d(z^=_xS0gz~Y&+Wt zlpNs804GQFK#zxDXx-l--IsUjBRZ!%lp4Uo^U69R?O||A|Ia+yRDt~*e>3Cyd<}rS z%=_zx_Am*MB)=9V4FGV-AmQ0_@ib-8b4rfg_MwIHPW?N}>-dgXE$epErR23-8PbXU zXxW|u{V_|2R*TcK=;cDZ&)x3s)1~ncd-Ifu14XsXikq@M><#f$4#Huym}lE3@F@yl zMAOhvJPCT}lipY0n*sWS`b9Q*G0X3n?B|swqRC^LFxUuA`f*aLrVyJKGA224E-7YK z;ZObJq*wgBKDzWnL0nMDP8Qg!uwda8I6=)8U0zZ z35_8oW=Bre@7=!TI9MjCC(czIRZ_?{I+;+JVHpX>(V*Gnu|<_ftzWc3uS&;@GocYB zh7Wh{XO?z2aX?nEp)e!)+k|)6`&xSQa0ypCQdL{Vg9{@8sDq;KX4!td{Ym-;BzR9b zC^~w$4!%w6zNg$_OK%Q`Oprs>M`*>yxB}G+$y?bV?N&NLS+mR<>_wFt)Y{^plZ5tV z7{~BBn+|J02Yhq_xG}-)QIj5ZC5>|Ws7$?p2{k6UCXKVWY3r&)6;Q#;t literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..1253cbab17 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der new file mode 100644 index 0000000000000000000000000000000000000000..0ec528ddf6695691e10aaffc4f5655c76bb5477e GIT binary patch literal 1310 zc-jFT1>yQIf(04|3o8Zz1ObAeDg^=q1A+sA0A+4`7aVP>4wc6^X4Nn>rA7lWsY^ed z$TTHR{BI1g7G~}5J5WF1y~@ioCNqWCkVJ|pZ?g-a?PP>ycHUwG4=QcAX{`oGUH2yz zB1u?Mpb)kbx?_q}*g06j0v@Dw5Zh6GS*n!3X1z;2ph{8fTSQc&BYjxefJU|Tq|sXs zHM)ZH>GgNEkoI+_s5y?mhY?#COn6d>xvh6W_(qv3+P+4yDu7BCGe^jLv*b_Og2XnM z(c*+Xa$}Yb>3A)qGgSEEQK^-INh=?wooG}uZB+0@M87sQ(Z(2%#Sj6L-?3@&Bpw2+ zBgIBHaF$RL!D^5x8%wPQj0d$T6cMFgb9&?NFa<|=Qw)bF@ZORF&^?N$k! zls-yGx#4D7@Z*eZE@d*o15|4vL6cI@FHn!V`ssz*ObVA z0Nk0BSB@q3tIIPs zYjv6`@=#Vv*sveON>+X5b|qJ9%$JAN-G2%|y1=(-78VrqAe$*BEHz1WQ!0F%VCn=A zUzMPG78&em(hH1D!D{9;e4NGRHIfy!=AfeE)-y?PS{Z*=be*s`0}l(t4jnJljSsYD zTFJm665NPhh5^THtYXIY@-nOXi&{OH7|+!KIXk*<))!!42_q>4Qv-p)02~4c1CBrd z0)GG?2mllS00000f)C&Uz$72X0CA4s00#q*0N{VXAMgl2fC&Kq&jj!=p01g2p5D){7Km-5)Ao5S+fCnHBdgO2j5|u(aQY2JJh@QH8>b_sxJ)h@!^Su0hzQ5n+x~>=358%O)0G`D5ajC`flK{0!_m%(ZD#m&0ndQA1N#=ngQ^@6+igj7lJ^) z2ysa;56l&#M{*FV5p`P&Zkq*<0Y(>yU|cQP`rLrgu7h7$Tbh)EKP>H~T2I{=yo*QU z(;ny9W$Ch7WXeArO{K@Z35!D3EA?` zToMo03A%%Ckgdu|F7JKp+^Vz^y`Cf!Ti1jmK61t#yifCM$J_GO*%xcfbGuI}_^43g z4`sGD9Jk#dmSCQC5t}f{Bm~}JfYUPL{FK*cQatiH)he1+xOF~WUx;_xcs~x!h6H=ba#*&pgEGQx=IQc z{9_WPmjDTecvo4aaOu95fzhRFRPrSp`h$m5sbC-JK>Mp;@8#(tmrf$F<`r8~b4+Yj z=#b&dlu(^@GfNQ1*{k;yEz=dQ(6psVEH)u!LnqU?nSGY#M4!vH8J^S`!o*yrE~y36 zm&4C=G(#pv1auCk*I>bw<*r{d(|dpNNxY>;{!|~Ex@&Fqb0{DVF?oV=$*oOLg9=O3 z0!7=hHmMOIzKq}?7O!SCYv5VPq++jZ4gc`f-v=|>!?*OMfmR%L@ulMOAnrQFV4vpa zDJ*oS^djdobE?K3%M?rx2wc(dksXVdN z(()l3O;UCJ*Nh;}r;9eX73K$dahLAmO~Tn{F)LIL(u7F8kK~a!8@J0de5mN;*o!1- zn~t8Vp~}iipEOE!(R+*?*{&E)S-=8B-oKzcK^gfz^r1|SQ*YR;F{iA5*7(e}w%PK^ z>2bVcls7WTGxnUw3@j(pw{@q%=qb4?!QOXzG!>s`_@#qxGwXwHt*;nf`jYK!RjhJ< z3}n8ygEfu_2$0g!g}7F6(*Q2-&nDTa1yKQ%la=OZTn}O?`p_h;JZ_D?=>!TDGimUo5s_gD%{$%19QDv_zQ(FT zz;W&Qp*op;EaTXx1>+0joyT@LR=elj3g9p7oDV{*F;x2YBRT>o#glV>B}B3_wT^aye+*8}DUH&_&q(dT-** zRhQHEkbo{*x^Z`lO?s`y1GlZ#iuMQ7D|Fr7pAhvmzUaVO(aIhqaL|jBpncZxZ(B-I za|;8mr!>qw!rav;i)y%z6TuuS3i>(ZOk~UHm`Iyzs@{)}RMmBhiQ~s61;R~cV$}6g zu|-%oqY_CN-Avc3cX>O4wx+Qn zWVPjZBAWQxvA4^POfQe{XNytN3n z>jZjzPb2|W_myF0Cbjdp!iuD@Y9^Tvoq5QAd5^(c3xSD*308u$>9*Rh`U8W;pX|1U zoIotvD$SpvfMuQik^@j_`P?3*s^39|e-x(mI^5y#XZZbdNaeY#dSUzqbdyw}c6$gr zl2%|xHyBbW&Ts|}Xh6pB%u zN&6r~-;7{TJ2ZLpP#1;SO7}Ij&Z^>wL{7w(uSl|^wLsM;`^Gs!<>*|eUi0niUDFW<>C-4P)NW_H)USbO{BBI7 OnE@Ba-`_Dzi~cv+MxrSI literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der new file mode 100644 index 0000000000000000000000000000000000000000..fdfd39f138368750d6d2dc478ce4823851ef2023 GIT binary patch literal 2086 zc-pO$c{~#iAIEoLbK7Pzx4DmOOLG@v5_8TZqM2)>pL5HP4(28*%A%P2$WcOSQ*x9m zmFQ7FJheQ|Us05frJpDN^?E)3K7V~*@6YFt@9X==_l-@5YGczO!&P7q5Cnokls1$d zC~G3DoVb*+I1mC%uQCz?1H}MXcbpU!CJv@T#1SAz7n}-Kc^4!R@I+QZY)m92DI`YI zD8>5E$|jNf;k><6`&-8{~iC| z>(as1SoCiv0fD~(2ntRIa{#>wnbd#}jSx!&H5Pds*;*O>H|eFtv7C#Ve_YdiVVDMD zPIu6DTue2-T~MB5E2%0r!uMJ91Wal$`Cn}Q3NtpBR66!N75=)jf2KarW#p6sW=aT; z`?ivqeV~E%r*OfzJQ1(;h(^`DE*9WG%?``|sJd9QL@xpWs(jHKtnc*50AxX|;xVz? zCaen%Vt1~2$@R4A>6r5x^ZeDdf@gJU@Q&5fAJ~v5o^g)`gBt!BR^j_`iQR;k59aP1 zRp9iv=|_nHA8p-g0CmDO%Lm2M3RGA`?tK(3$ju^ z-7s6%>vifv9zT!DngBY^TB>grz`2-0f8-Xw#BZq5s=0JV4#rUU{CFLhV^=4`IB0|{ zyuU|m%Cl0XM5b|+Inm7!y?iL^gi&mxK5+Y&*#v1HAo`1-ivc!?|KaMUTgSULiL2bS>heif3$Y4vS8lW_K@e<5-vLqW zu-7HpS1v16!&H_h-I(Gfj__tr9p3w^4N`-0s%I+pg_BVL#grpr)vp7`3IYX-5><>; z6-%-r(O>2^@al1o3D>RUfm^9Xo$bs8D#qY3<(X<6eMOsD@vPQLe$;K83n)T0_$C*e zB=l8W#4qOK^V>?=N_W)qj{tjXoS&Sbj6Y^bh9eP}*#Z&7NL*ni_5sj-6)rId zyR2T=(gwCN&s!t-$DYee5A)^{?@ULyoXVA9^NUvPT)s>Uz)nS^$t70u>bw83_BCv_xCF`G1a!&2qw{)~?bunU(zNrdiIU%IVI?a*A8}$Atvr?8qKx zWc8C0T3B2hskce1JVfuPqt}N*1$dyj3`f-m16Y@Tkp)Zn+$6K18e*sS>4`K3_fdfr zRMXMB)$F!%xP$*$o?ABQlTyi-mJG9wzw!80Q1Csydh6ha=QWK zm!ib6YP&28K|zo!p&UQA=tx6Iki~WT(&W|Y%(pK8wxO$6-E(V#Neh^({fH0SnP zt@<@@Dy0rcV(sDa9e@{h2A?>ntec#K`PvZ48o{`!Cq)P2_g2_nYUK^nwAvrI4`0*$ zX2TUUNw_Bw3g8-tQ_2iU(A>;Ri)QQFeQJ-cx<3z@PBJ7%`0D!@-_04li1AFFnwgV= zG|MwY!A;T=Mm&I#E0yk2WH!XB(K&=!9*UyeXL&e#NLZ~N{85d(z^=_xS0gz~Y&+Wt zlpNs804GQFK#zxDXx-l--IsUjBRZ!%lp4Uo^U69R?O||A|Ia+yRDt~*e>3Cyd<}rS z%=_zx_Am*MB)=9V4FGV-AmQ0_@ib-8b4rfg_MwIHPW?N}>-dgXE$epErR23-8PbXU zXxW|u{V_|2R*TcK=;cDZ&)x3s)1~ncd-Ifu14XsXikq@M><#f$4#Huym}lE3@F@yl zMAOhvJPCT}lipY0n*sWS`b9Q*G0X3n?B|swqRC^LFxUuA`f*aLrVyJKGA224E-7YK z;ZObJq*wgBKDzWnL0nMDP8Qg!uwda8I6=)8U0zZ z35_8oW=Bre@7=!TI9MjCC(czIRZ_?{I+;+JVHpX>(V*Gnu|<_ftzWc3uS&;@GocYB zh7Wh{XO?z2aX?nEp)e!)+k|)6`&xSQa0ypCQdL{Vg9{@8sDq;KX4!td{Ym-;BzR9b zC^~w$4!%w6zNg$_OK%Q`Oprs>M`*>yxB}G+$y?bV?N&NLS+mR<>_wFt)Y{^plZ5tV z7{~BBn+|J02Yhq_xG}-)QIj5ZC5>|Ws7$?p2{k6UCXKVWY3r&)6;Q#;t literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..69a39e885d --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der new file mode 100644 index 0000000000000000000000000000000000000000..c989f91e58a61c46f4b4c4fc23ce0cb32be59822 GIT binary patch literal 1310 zc-jFT1>yQIf(04|3o8Zz1ObAeDg^=r1A+sA07lha3iG2uu-(6MhgbQowZoAUC$%MR zjyVpbA*t=mLBRsvC2kCpkmQ3K}{n~FKWu<&PNbV{db zyWwkg?9h0^RE21j1>n@C|A9h~%IpXhc_nTd&%|D9B4_6L6QyyfGuKkVQKT?d*c4MT zAIPS=etQ})FDCCq@ir^uH9?KL%0H_tc>ZYI{NEl<}Vv6KwvLxkB=f<}=A{gc2LS(d#DPv#$ zROMJTq84BymRq}Yr$IcS4dr$#eQ_N3#rw~{Wj)h-^GrQo<5o&soOv zI1nOEN0^92N(%_9*rvPdkpcyDFg5T?oJQVBSSC*qEvf*4oR|NU?iowf=o5bJyn%(2 zxD8?^Nn3(3uDHT5{}07+IN(U48`}<^>#L}f@hsNyL2E9kzwRu?^r@k9m`BGogsSujKUoMJwR%^z zq6S+j2jt}syr;?+BdwLy6?yOAs#y5 z5C{N}P$2Qg0DeFKl5iYi2LA#;;Q$CD@(%;yzypE700*9Ufx!R*Pve4k1n@W=amVBV zz(0a901?Ol5CQ-KKU|Ip00IExfPmwGQ3UV^C-5-+0EQr*4;!J#Ab^M*4hI|%2P5(M z_yRcG@xULDKj3fx00H zPZME)xPZuE0T4fk$~1sNKu|uw6D0x&2|)b$1>j&OG)fVW|0;yxQbZCVF(KMFH7r5R zn~)fHHiCpw2UNd82wd(vc+A7i*H`USVj@Y+$q`VI6+@W=mL`@cOEXiHd7!MA3Gkf+ zg8q+jk_X!!KoL0X+YC1hN(oT-wgLQHVqyaFTM_Y~2$@KT2B?sl1OCr}AkcRL41-W1 z6h4>fVBz;S9q-Kb5^@4|TRI-o;kq5#2}Rb2>eL%I#vD1|dF=$X!7=go*S)1y@@1AI z4d}BUCuUNn;+|y7E*VX-Kcy6Cr-Tk(OBHsDowVu}^w_t_$a57fY&l=?QCq(zziVC* z!IZc23HuTbTRfzTR^GZ}XdFynlQR`QFmF&V~>`#@G@uIF1ny0aM_L2|zp+r1cn{`ZNrKELdkGU&n->kH*r@#ya`M7nl@ z!n6L6c#Y_lU3h(Rqv?xN9G^M>Gb`KZvjKz&HV2S(a@mUR1z;%!UoCL~%s#rLrT4MnE1U?DAg8a*1yK)vvKaRur7@yx8f z#=2Ed(k+KdmOdZ3I-(Vtv2d69SQ)VcH(Q0>3PFqs-op0mc#Rx zW7@QMUaN!mtTp6#i^n3{i}WMT?ECSs=Cz1W&GMjb(k(~Z8ZqAa!+CK9Yo29wzomnrB*1+0M77Jj8&>C} zq)`(erTW^J(s%MFrq|#XHy%*3OW0!JI&MK!R13Qg_#!@#Y_)){ReW{m#@ptGk}boT zEys9dL+?Ao!JWn$VukCFM@XwCy+B^x@W~~NYB^^*QJ1VMLM&?$$YoV_9BUB@PNIjb zQsN!o_&&WpLTlO)vd6)cJAMf0s1*p(7hL9vKe#n2t9iR@S|$*WwKB}VnCZ?9$oGQ# z3~lY-Uib3CIEvukQxU6M$lwz4|l{fIBu_y+)YXqK)LpBBT?4mmje)F>9q(7=0tq7K7X)fqeDgd`V4Im4XAugkmQ#I zWT^l1*Wq8eHoqt!EC4(BaVS&}0s`#6237g301Lp3X~G09BV$OUBpYMn2m<~;8W{g0 z&xGS+iA3Z<&VSkCfn|8|jRax`EAvR;c3S#r!b#U(IiGgzo-h3PC)%4OWRWsJNV;8! zR>YZaykq&JlqA@4`yx}jJ3=_LvAluV_K`9VlrtKo<^H+!M*WgdBu3#-Qbrs^o>GeQ zR3;Z##SAqGPfuKTUM+XOhq%eP1>ENtm{A5s9~|dM8XK8XUR&hugZ;`yIwhswQ&UwxfJptc)8oEjx1z0#Cuq?2lUSU zD(dvM;#ebKjnpwokfmA9&nn#&t#xTdyX_6HAS`_Nf9Y~>R4^g3s&T8bNN9{$#HfYs z)hjI^%DBO)GrpRo6UT@W2E)a zatpZXc5gE;Fh^%~!nv{kn$TZT&-!IzbRvfN7!2z>li-W3%O+{e%5K6)SekI*A6XCe z;xdO}74PM6{+dcfx;=je`0W|U3$LTfm@TgLk{+QG)cAdW)*P};Pg^5?jXPlHOvfd%gC*)d$ zSr`d+*2#aa7N~Kj#Sig0@yZzD#irpG2IyE@b?xxt_LI4}{@B~uzh%+)dDPsouBp^K zd)jaGD%`F2;iAFg#YTMySlC<&sTd#{!|3KTM7;%RflW%yE*b zX>6)Kk9&xr)V^GxDQECgiD%&k#K5bObT-U$*P2^vif3*^6=8;ijfZsOg2q zot{&a^Ax);F2>z~u%9!;c`H?1X?VTD_#@`{tH9J8>V+3z3!1RG*=YN&%?#;vWMy;s z1pTt<4QnuH?I(*mIcjHham{gyqalx}E6h!5EV(ar$0gciG0jyy^Rr+32Q6VevlTw) eU8ln`p@_abLtOe$d;rq!Qo1o={jU6sBl&OMV6ET) literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der new file mode 100644 index 0000000000000000000000000000000000000000..fdfd39f138368750d6d2dc478ce4823851ef2023 GIT binary patch literal 2086 zc-pO$c{~#iAIEoLbK7Pzx4DmOOLG@v5_8TZqM2)>pL5HP4(28*%A%P2$WcOSQ*x9m zmFQ7FJheQ|Us05frJpDN^?E)3K7V~*@6YFt@9X==_l-@5YGczO!&P7q5Cnokls1$d zC~G3DoVb*+I1mC%uQCz?1H}MXcbpU!CJv@T#1SAz7n}-Kc^4!R@I+QZY)m92DI`YI zD8>5E$|jNf;k><6`&-8{~iC| z>(as1SoCiv0fD~(2ntRIa{#>wnbd#}jSx!&H5Pds*;*O>H|eFtv7C#Ve_YdiVVDMD zPIu6DTue2-T~MB5E2%0r!uMJ91Wal$`Cn}Q3NtpBR66!N75=)jf2KarW#p6sW=aT; z`?ivqeV~E%r*OfzJQ1(;h(^`DE*9WG%?``|sJd9QL@xpWs(jHKtnc*50AxX|;xVz? zCaen%Vt1~2$@R4A>6r5x^ZeDdf@gJU@Q&5fAJ~v5o^g)`gBt!BR^j_`iQR;k59aP1 zRp9iv=|_nHA8p-g0CmDO%Lm2M3RGA`?tK(3$ju^ z-7s6%>vifv9zT!DngBY^TB>grz`2-0f8-Xw#BZq5s=0JV4#rUU{CFLhV^=4`IB0|{ zyuU|m%Cl0XM5b|+Inm7!y?iL^gi&mxK5+Y&*#v1HAo`1-ivc!?|KaMUTgSULiL2bS>heif3$Y4vS8lW_K@e<5-vLqW zu-7HpS1v16!&H_h-I(Gfj__tr9p3w^4N`-0s%I+pg_BVL#grpr)vp7`3IYX-5><>; z6-%-r(O>2^@al1o3D>RUfm^9Xo$bs8D#qY3<(X<6eMOsD@vPQLe$;K83n)T0_$C*e zB=l8W#4qOK^V>?=N_W)qj{tjXoS&Sbj6Y^bh9eP}*#Z&7NL*ni_5sj-6)rId zyR2T=(gwCN&s!t-$DYee5A)^{?@ULyoXVA9^NUvPT)s>Uz)nS^$t70u>bw83_BCv_xCF`G1a!&2qw{)~?bunU(zNrdiIU%IVI?a*A8}$Atvr?8qKx zWc8C0T3B2hskce1JVfuPqt}N*1$dyj3`f-m16Y@Tkp)Zn+$6K18e*sS>4`K3_fdfr zRMXMB)$F!%xP$*$o?ABQlTyi-mJG9wzw!80Q1Csydh6ha=QWK zm!ib6YP&28K|zo!p&UQA=tx6Iki~WT(&W|Y%(pK8wxO$6-E(V#Neh^({fH0SnP zt@<@@Dy0rcV(sDa9e@{h2A?>ntec#K`PvZ48o{`!Cq)P2_g2_nYUK^nwAvrI4`0*$ zX2TUUNw_Bw3g8-tQ_2iU(A>;Ri)QQFeQJ-cx<3z@PBJ7%`0D!@-_04li1AFFnwgV= zG|MwY!A;T=Mm&I#E0yk2WH!XB(K&=!9*UyeXL&e#NLZ~N{85d(z^=_xS0gz~Y&+Wt zlpNs804GQFK#zxDXx-l--IsUjBRZ!%lp4Uo^U69R?O||A|Ia+yRDt~*e>3Cyd<}rS z%=_zx_Am*MB)=9V4FGV-AmQ0_@ib-8b4rfg_MwIHPW?N}>-dgXE$epErR23-8PbXU zXxW|u{V_|2R*TcK=;cDZ&)x3s)1~ncd-Ifu14XsXikq@M><#f$4#Huym}lE3@F@yl zMAOhvJPCT}lipY0n*sWS`b9Q*G0X3n?B|swqRC^LFxUuA`f*aLrVyJKGA224E-7YK z;ZObJq*wgBKDzWnL0nMDP8Qg!uwda8I6=)8U0zZ z35_8oW=Bre@7=!TI9MjCC(czIRZ_?{I+;+JVHpX>(V*Gnu|<_ftzWc3uS&;@GocYB zh7Wh{XO?z2aX?nEp)e!)+k|)6`&xSQa0ypCQdL{Vg9{@8sDq;KX4!td{Ym-;BzR9b zC^~w$4!%w6zNg$_OK%Q`Oprs>M`*>yxB}G+$y?bV?N&NLS+mR<>_wFt)Y{^plZ5tV z7{~BBn+|J02Yhq_xG}-)QIj5ZC5>|Ws7$?p2{k6UCXKVWY3r&)6;Q#;t literal 0 Hc-jL100001 diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat new file mode 100755 index 0000000000..d7107ccc6e --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat new file mode 100755 index 0000000000..a550a2f6db --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem +dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-newhope-bliss/test.conf b/testing/tests/swanctl/rw-newhope-bliss/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 -- 2.47.2