From fd6ac87fc3b54bb55cb43e0b38b2784ffe66a2bd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jean-Fran=C3=A7ois=20Hren?= Date: Tue, 29 Oct 2024 11:27:38 +0100 Subject: [PATCH] testing: Add ha/active-passive-multi-ke scenario --- testing/scripts/build-certs-chroot | 4 +- .../active-passive-multi-ke/description.txt | 8 +++ .../ha/active-passive-multi-ke/evaltest.dat | 34 +++++++++++ .../hosts/alice/etc/iptables.rules | 57 +++++++++++++++++++ .../hosts/alice/etc/strongswan.conf | 17 ++++++ .../hosts/alice/etc/swanctl/swanctl.conf | 25 ++++++++ .../hosts/carol/etc/strongswan.conf | 5 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 27 +++++++++ .../hosts/dave/etc/strongswan.conf | 6 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 27 +++++++++ .../hosts/moon/etc/iptables.rules | 57 +++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 16 ++++++ .../hosts/moon/etc/swanctl/swanctl.conf | 25 ++++++++ .../ha/active-passive-multi-ke/posttest.dat | 22 +++++++ .../ha/active-passive-multi-ke/pretest.dat | 27 +++++++++ .../ha/active-passive-multi-ke/test.conf | 25 ++++++++ testing/tests/ha/active-passive/evaltest.dat | 2 +- 17 files changed, 381 insertions(+), 3 deletions(-) create mode 100644 testing/tests/ha/active-passive-multi-ke/description.txt create mode 100644 testing/tests/ha/active-passive-multi-ke/evaltest.dat create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/iptables.rules create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ha/active-passive-multi-ke/posttest.dat create mode 100644 testing/tests/ha/active-passive-multi-ke/pretest.dat create mode 100644 testing/tests/ha/active-passive-multi-ke/test.conf diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 161139f048..0cafb99ce5 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -733,8 +733,8 @@ mkdir -p ${TEST}/hosts/alice/${SWANCTL_DIR}/x509 cp ${TEST_KEY} ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa cp ${TEST_CERT} ${TEST}/hosts/alice/${SWANCTL_DIR}/x509 -# Put a copy into the ha/active-passive and swanctl/redirect-active scenarios -for t in ha/active-passive ikev2/redirect-active +# Put a copy into the ha/active-passive, ha/active-passive-multi-ke and swanctl/redirect-active scenarios +for t in ha/active-passive ha/active-passive-multi-ke ikev2/redirect-active do TEST="${TEST_DIR}/${t}" for h in alice moon diff --git a/testing/tests/ha/active-passive-multi-ke/description.txt b/testing/tests/ha/active-passive-multi-ke/description.txt new file mode 100644 index 0000000000..750048073f --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each using +multiple key exchanges to the virtual gateway mars implemented by the +two real gateways alice and moon in a High Availability +(HA) setup based on ClusterIP. The HA synchronization link between the +two gateways is secured by an IPsec transport connection. At the outset +alice is the active and moon is the passive gateway. +After alice gets killed moon automatically takes over +all existing IKE_SAs and CHILD_SAs. diff --git a/testing/tests/ha/active-passive-multi-ke/evaltest.dat b/testing/tests/ha/active-passive-multi-ke/evaltest.dat new file mode 100644 index 0000000000..fb872f94ca --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/evaltest.dat @@ -0,0 +1,34 @@ +alice::cat /var/log/daemon.log::HA segment 1 was not handled, taking::YES +moon:: cat /var/log/daemon.log::remote node takes segment 1::YES +alice::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=500 local-id=10.1.0.10 remote-host=10.1.0.1 remote-port=500 remote-id=10.1.0.1.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]] remote-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]]::YES +alice::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=500 local-id=10.1.0.10 remote-host=10.1.0.1 remote-port=500 remote-id=10.1.0.1.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]] remote-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]]::YES +alice::swanctl --list-sas --ike-id 3 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096 ake3=ML_KEM_768.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +alice::swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*net.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=500 local-id=10.1.0.1 remote-host=10.1.0.10 remote-port=500 remote-id=10.1.0.10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]] remote-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=500 local-id=10.1.0.1 remote-host=10.1.0.10 remote-port=500 remote-id=10.1.0.10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]] remote-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]]::YES +moon ::swanctl --list-sas --ike-id 3 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096 ake3=ML_KEM_768.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon ::swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*net.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.5 remote-port=4500 remote-id=mars.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.5 remote-port=4500 remote-id=mars.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES +moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::ip xfrm policy flush::no output expected::NO +alice::ip xfrm state flush::no output expected::NO +alice::systemctl kill -s SIGKILL strongswan::no output expected::NO +carol::sleep 2::no output expected::NO +moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES +moon ::swanctl --list-sas --ike-id 3 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon ::swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=MODP_4096.*child-sas.*net.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/iptables.rules b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/iptables.rules new file mode 100644 index 0000000000..873578632f --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/iptables.rules @@ -0,0 +1,57 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# forward ESP-tunneled traffic +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT +-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# clusterip rules +-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0 +-A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0 + +# allow esp +-A INPUT -p 50 -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + +# allow esp on internal interface +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p 50 -j ACCEPT + +# allow IKE on internal interface +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow IKE +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow heartbeat +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + +# allow ICMP type 3 +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + +# allow IGMP multicasts +-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT +-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/strongswan.conf b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/strongswan.conf new file mode 100644 index 0000000000..8f57ee9d36 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce openssl pem pkcs1 curl revocation vici kernel-netlink socket-default ha ml + + plugins { + ha { + local = PH_IP_ALICE + remote = PH_IP_MOON1 + secret = PliyxREnfoPaSXDJx1NrlH0kkKXT/LWZ + segment_count = 1 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e80ee42898 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = marsCert.pem + id = mars.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519-ke1_modp4096-ke3_mlkem768-ke3_none + } + } + version = 2 + proposals = aes128-sha256-x25519-ke1_modp4096-ke3_mlkem768-ke3_none + } +} diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/strongswan.conf b/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..53ec857944 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce openssl pem pkcs1 curl revocation vici kernel-netlink socket-default updown ml +} diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..5b18917cf6 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = mars.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519-ke1_modp4096-ke3_mlkem768 + } + } + version = 2 + proposals = aes128-sha256-x25519-ke1_modp4096-ke3_mlkem768 + } +} diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/strongswan.conf b/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..e785a90cda --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce openssl pem pkcs1 curl revocation vici kernel-netlink socket-default updown +} + diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..dc3ccf0fcc --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = mars.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519-ke1_modp4096 + } + } + version = 2 + proposals = aes128-sha256-x25519-ke1_modp4096 + } +} diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/iptables.rules b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/iptables.rules new file mode 100644 index 0000000000..09df2225cb --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/iptables.rules @@ -0,0 +1,57 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# forward ESP-tunneled traffic +-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT +-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT +-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT + +# clusterip rules +-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0 +-A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0 + +# allow esp +-A INPUT -p 50 -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + +# allow esp on internal interface +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p 50 -j ACCEPT + +# allow IKE on internal interface +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 500 --sport 500 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow heartbeat +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + +# allow ICMP type 3 +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + +# allow IGMP multicasts +-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT +-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/strongswan.conf b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..72bc21da78 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce openssl pem pkcs1 curl revocation vici kernel-netlink socket-default ha ml + + plugins { + ha { + local = PH_IP_MOON1 + remote = PH_IP_ALICE + secret = PliyxREnfoPaSXDJx1NrlH0kkKXT/LWZ + segment_count = 1 + fifo_interface = yes + monitor = yes + } + } +} diff --git a/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e80ee42898 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.5 + + local { + auth = pubkey + certs = marsCert.pem + id = mars.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519-ke1_modp4096-ke3_mlkem768-ke3_none + } + } + version = 2 + proposals = aes128-sha256-x25519-ke1_modp4096-ke3_mlkem768-ke3_none + } +} diff --git a/testing/tests/ha/active-passive-multi-ke/posttest.dat b/testing/tests/ha/active-passive-multi-ke/posttest.dat new file mode 100644 index 0000000000..e62d23ef52 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/posttest.dat @@ -0,0 +1,22 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::ip xfrm policy flush::no output expected::NO +moon::ip xfrm state flush::no output expected::NO +moon::systemctl kill -s SIGKILL strongswan::no output expected::NO +moon::cd /etc/swanctl; rm rsa/marsKey.pem x509/marsCert.pem +alice::cd /etc/swanctl; rm rsa/marsKey.pem x509/marsCert.pem +moon::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip addr del 192.168.0.5/24 dev eth0 +moon::ip addr del 10.1.0.5/16 dev eth1 +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ip addr del 10.1.0.5/16 dev eth0 +alice::ifdown eth1 +venus::ip route del default via 10.1.0.5 dev eth0 +venus::ip route add default via 10.1.0.1 dev eth0 +alice::sed -i s/Restart=no/Restart=on-abnormal/ /lib/systemd/system/strongswan.service +alice::systemctl daemon-reload +moon::sed -i s/Restart=no/Restart=on-abnormal/ /lib/systemd/system/strongswan.service +moon::systemctl daemon-reload diff --git a/testing/tests/ha/active-passive-multi-ke/pretest.dat b/testing/tests/ha/active-passive-multi-ke/pretest.dat new file mode 100644 index 0000000000..bf5eb8329e --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/pretest.dat @@ -0,0 +1,27 @@ +alice::sed -i s/Restart=on-abnormal/Restart=no/ /lib/systemd/system/strongswan.service +alice::systemctl daemon-reload +moon::sed -i s/Restart=on-abnormal/Restart=no/ /lib/systemd/system/strongswan.service +moon::systemctl daemon-reload +moon::ip addr add 192.168.0.5/24 dev eth0 +moon::ip addr add 10.1.0.5/16 dev eth1 +alice::ifup eth1 +alice::ip addr add 192.168.0.5/24 dev eth1 +alice::ip addr add 10.1.0.5/16 dev eth0 +venus::ip route del default via 10.1.0.1 dev eth0 +venus::ip route add default via 10.1.0.5 dev eth0 +moon::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem +alice::cd /etc/swanctl; rm rsa/aliceKey.pem x509/aliceCert.pem +moon::systemctl start strongswan +alice::systemctl start strongswan +moon::sleep 2 +alice::echo "+1" > /var/run/charon.ha +carol::systemctl start strongswan +dave::systemctl start strongswan +carol::expect-connection home +dave::expect-connection home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ha/active-passive-multi-ke/test.conf b/testing/tests/ha/active-passive-multi-ke/test.conf new file mode 100644 index 0000000000..43f8bbcc37 --- /dev/null +++ b/testing/tests/ha/active-passive-multi-ke/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat index aa35767935..418cadf85d 100644 --- a/testing/tests/ha/active-passive/evaltest.dat +++ b/testing/tests/ha/active-passive/evaltest.dat @@ -5,7 +5,7 @@ alice::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ha.*version=2 state=EST alice::swanctl --list-sas --ike-id 3 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES alice::swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=500 local-id=10.1.0.1 remote-host=10.1.0.10 remote-port=500 remote-id=10.1.0.10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]] remote-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]]::YES -moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=500 local-id=10.1.0.1 remote-host=10.1.0.10 remote-port=500 remote-id=10.1.0.10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]] remote-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ha.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=500 local-id=10.1.0.1 remote-host=10.1.0.10 remote-port=500 remote-id=10.1.0.10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*ha.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32\[icmp] 10.1.0.1/32\[udp/4510]] remote-ts=\[10.1.0.10/32\[icmp] 10.1.0.10/32\[udp/4510]]::YES moon ::swanctl --list-sas --ike-id 3 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon ::swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=PASSIVE local-host=192.168.0.5 local-port=4500 local-id=mars.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.5 remote-port=4500 remote-id=mars.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -- 2.47.2