From 97493cbe17c69f3aa9ce17739d0a2184bc31de8a Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Fri, 9 Nov 2018 21:45:12 +0100 Subject: [PATCH] testing: Migrated openssl/rw-cert scenario to swanctl --- .../openssl-ikev2/rw-cert/description.txt | 9 ++++--- .../tests/openssl-ikev2/rw-cert/evaltest.dat | 13 +++------ .../rw-cert/hosts/carol/etc/ipsec.conf | 21 --------------- .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 +++++++++++++++++++ .../rw-cert/hosts/dave/etc/ipsec.conf | 21 --------------- .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 +++++++++++++++++++ .../rw-cert/hosts/moon/etc/ipsec.conf | 20 -------------- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 +++++++++++++++++ .../tests/openssl-ikev2/rw-cert/posttest.dat | 8 +++--- .../tests/openssl-ikev2/rw-cert/pretest.dat | 13 +++++---- testing/tests/openssl-ikev2/rw-cert/test.conf | 4 +++ 14 files changed, 106 insertions(+), 88 deletions(-) delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt index b16faad069..ca738a1d4e 100644 --- a/testing/tests/openssl-ikev2/rw-cert/description.txt +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -1,11 +1,12 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp and x509. -

-The roadwarriors carol and dave set up a connection each +plugins aes des sha1 sha2 hmac gmp and x509. +

+The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat index be78c51259..572a138a6d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 213cd70fab..0000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 8197ea8b18..996be95f53 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e8504addbb --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 653316fde4..0000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 058abcad7f..f2b8046e0e 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..27c6f12ba8 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 16299b3399..0000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048,3des-sha1-modp1536! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 8197ea8b18..996be95f53 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..aa8d6167af --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat index 1865a1c60e..b909ac76c3 100644 --- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index 974c22530a..61fc17ba22 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -1,12 +1,11 @@ -moon::iptables-restore < /etc/iptables.rules +mmoon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -# moon runs crypto tests, so make sure it is ready +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf index f292988506..1227b9d1c0 100644 --- a/testing/tests/openssl-ikev2/rw-cert/test.conf +++ b/testing/tests/openssl-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 -- 2.47.3