From: Andreas Steffen Date: Fri, 4 May 2012 10:06:45 +0000 (+0200) Subject: upgraded openssl-ikev1 scenarios to 5.0.0 X-Git-Tag: 5.0.0~296 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=90e941fb979b0f76c3bcf9db0871991b3e79716e;p=thirdparty%2Fstrongswan.git upgraded openssl-ikev1 scenarios to 5.0.0 --- diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt index 915e6c211f..b3515c3336 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/description.txt +++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt @@ -1,4 +1,4 @@ -Roadwarrior carol proposes to gateway moon the cipher suite -CAMELLIA_CBC_192 / HMAC_SHA2_384 / MODP_3072 for the IKE protocol and -CAMELLIA_CBC_192 / HMAC_SHA2_384_192 for ESP packets. A ping from carol to -alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as +the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 +in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat index a3360e5a5b..4be554f86d 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat @@ -1,11 +1,11 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES -moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES -moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES +moon:: ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES -moon::ip xfrm state::enc cbc(camellia)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf index 982b2fdb24..8c8589961d 100755 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no + plutostart=no conn %default ikelifetime=60m @@ -12,11 +9,12 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=camellia192-sha384-modp3072! - esp=camellia192-sha384! + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf index 1ea14c6f2d..e96dfe5745 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf index b6f7192564..49fe537928 100755 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf @@ -1,25 +1,22 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - + plutostart=no + conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=camellia192-sha384-modp3072! - esp=camellia192-sha384! + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf index 1ea14c6f2d..e96dfe5745 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat index c6d6235f9d..94a400606a 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat index 6d2eeb5f9f..ed5498bfe3 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat @@ -1,5 +1,7 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf index 6abbb89a97..9cd583b169 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/test.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf @@ -19,4 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index f2b26fd7cf..a1f31495dd 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt @@ -1,8 +1,8 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 certificate -functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp x509 plus the openssl plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat index 6a68027808..2ba48e5ce4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat @@ -1,11 +1,15 @@ -moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES -moon::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES -dave::ipsec statusall::IPsec SA established::YES -dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf index 432fa52ea0..cf9a83135f 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + ike=aes128-sha256-ecp256,aes192-sha384-ecp384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf index 28304eb41c..e341b02262 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + ike=aes128-sha256-ecp256,aes256-sha512-ecp521! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf index 913e599aed..882b5a2921 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf index d6737f6e0c..ec83d9ddb9 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 5b02414333..84b6eb4bf1 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt @@ -1,8 +1,8 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 certificate -functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp x509 plus the openssl plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat index 3c5ae4138a..6cf2438d4e 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat @@ -1,11 +1,15 @@ -moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES -moon::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES -dave::ipsec statusall::IPsec SA established::YES -dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf index 5a4d82699b..0d43d1f4f7 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + ike=aes192-sha384-ecp192,3des-sha256-ecp224! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf index ac828c1824..75e537b836 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + ike=aes192-sha384-ecp192,aes128-sha256-ecp256! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf index 913e599aed..882b5a2921 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf index 870271c871..1dab319fce 100755 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control + plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + ike=3des-sha256-ecp224,aes128-sha256-ecp256! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat index 2aea10135a..244ea0331a 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat @@ -1,13 +1,19 @@ -moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES -moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES -carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES -dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES -moon::ipsec statusall::carol.*IPsec SA established::YES -moon::ipsec statusall::dave.*IPsec SA established::YES -carol::ipsec statusall::home.*IPsec SA established::YES -dave::ipsec statusall::home.*IPsec SA established::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf index b0b6ff738f..e463e22ef8 100755 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - plutodebug=control - charonstart=no + plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf index 23813b20b5..c3fd646aea 100755 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - plutodebug=control - charonstart=no - + plutostart=no + conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf index 4c5d53dff4..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf index f22a4ac4c8..9931d87119 100755 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - plutodebug=control - charonstart=no + plutostart=no conn %default ikelifetime=60m @@ -12,21 +10,11 @@ conn %default keyingtries=1 keyexchange=ikev1 -conn carol - also=moon - leftcert=moon_ec256_Cert.pem - rightid=carol@strongswan.org - auto=add - -conn dave - also=moon - leftcert=moon_ec384_Cert.pem - rightid=dave@strongswan.org - auto=add - -conn moon +conn rw left=PH_IP_MOON + leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 0000000000..5178c7f381 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO +PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs +5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9 +BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX +Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU +Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu +j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD +VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG +SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt +l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH +mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD +CI9WpQ== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 0000000000..beab0485fd --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42 +yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz +1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw +tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq +pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets index 8a8812e0f8..1ef3eccb51 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets @@ -1,5 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: ECDSA moon_ec256_Key.pem - -: ECDSA moon_ec384_Key.pem +: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf index 1ea14c6f2d..bdbdad2e59 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = pem pkcs1 openssl random hmac curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat index 73fe3096d3..7cebd7f257 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat @@ -4,5 +4,3 @@ dave::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null dave::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/*