From: Andreas Steffen Date: Fri, 4 May 2012 10:03:05 +0000 (+0200) Subject: upgraded openssl-ikev2 scenarios to 5.0.0 X-Git-Tag: 5.0.0~297 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3805e569f6429a017c198a98e47875c9aa8329bd;p=thirdparty%2Fstrongswan.git upgraded openssl-ikev2 scenarios to 5.0.0 --- diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat index f1b33895be..3787bdb68c 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat @@ -1,16 +1,17 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES +dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES -dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf index 62e181012e..9ad166ee1c 100755 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -12,7 +10,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha256! + esp=blowfish192-sha384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf index 26f3f3a040..eb75305010 100755 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -12,7 +10,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha1! + esp=blowfish128-sha256! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf index 31a00f7fbe..db9203582b 100755 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -12,7 +10,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha256,blowfish128-sha1! + esp=blowfish192-sha384,blowfish128-sha256! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat index d77c4806ed..4be554f86d 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -1,11 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon:: ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES -moon::ip xfrm state::enc cbc(camellia)::YES +moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf index 37f8a7ecf8..45ea520e5d 100755 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf index f8d7e3fe99..3b0f41f793 100755 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat index 0099364667..2540eb106b 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat @@ -1,12 +1,17 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES -dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES +dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf index 0550a09b45..850ce23b0e 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -11,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + ike=aes128-sha256-ecp256,aes192-sha384-ecp384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index b9da84efb5..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -3,7 +3,3 @@ charon { load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } - -libstrongswan { - ecp_x_coordinate_only = no -} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf index 22026fc365..92f7501626 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -11,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + ike=aes128-sha256-ecp256,aes256-sha512-ecp521! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index 01fd353c15..882b5a2921 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf index ffe13d2596..9967312cbb 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index b9da84efb5..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -3,7 +3,3 @@ charon { load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } - -libstrongswan { - ecp_x_coordinate_only = no -} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat index e2073d9be9..f82159e7c0 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat @@ -1,12 +1,17 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES -dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES +dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf index 6a15b3f54d..0e3ef67fce 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -11,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + ike=aes192-sha384-ecp192,3des-sha256-ecp224! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index b9da84efb5..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -3,7 +3,3 @@ charon { load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } - -libstrongswan { - ecp_x_coordinate_only = no -} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf index b4bdf456fc..cec930c0f0 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -11,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + ike=aes192-sha384-ecp192,aes128-sha256-ecp256! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index 01fd353c15..882b5a2921 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf index 64ec0f12cd..35261515f1 100755 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -11,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + ike=3des-sha256-ecp224,aes128-sha256-ecp256! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index b9da84efb5..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -3,7 +3,3 @@ charon { load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } - -libstrongswan { - ecp_x_coordinate_only = no -} diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat index 1c23dcad62..cc904c8bc2 100644 --- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -1,6 +1,6 @@ moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES +sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf index 2e3c9dde45..11d2aefe68 100755 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf index 19e1971318..15ba692a09 100755 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 868da5776c..5918faa8cb 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -1,12 +1,17 @@ -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf index c75d6b2a18..f666a1c3cc 100755 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf index 080ce9bce4..43cd6c3c3f 100755 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf index c932101d26..218b7b84e0 100755 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 868da5776c..52913759f0 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -1,12 +1,13 @@ -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf index c75d6b2a18..f666a1c3cc 100755 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf index 080ce9bce4..43cd6c3c3f 100755 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf index c932101d26..218b7b84e0 100755 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat index 06a0f8cdad..f8cfb111b9 100644 --- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -1,8 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf index 4a8baa3ae0..d3be7aa6f2 100755 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf index 42f03aab34..b2181ee71b 100755 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf index 2e84f2e6a9..a0b30f21f8 100755 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat index 41ebec307e..e476da03f4 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat @@ -1,10 +1,10 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 02ece4738d..1c78a66ec6 100755 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -20,6 +20,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 2679d4f9b2..6a72f264a8 100755 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no plutostart=no charondebug="tls 2"