From: Martin Willi Date: Fri, 30 Jan 2015 15:54:59 +0000 (+0100) Subject: testing: Add a CGA tunnel mode test case using narrowid to construct selectors X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=c296c1e80ec079477d178b6d47782b6eb2a6ab1f;p=thirdparty%2Fstrongswan.git testing: Add a CGA tunnel mode test case using narrowid to construct selectors --- diff --git a/testing/tests/ipv6/cga-narrowid/description.txt b/testing/tests/ipv6/cga-narrowid/description.txt new file mode 100644 index 0000000000..1298434162 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/description.txt @@ -0,0 +1,14 @@ +An ESP tunnel mode connection between the hosts moon and sun is +set up for Cryptographically Generated Addresses (RFC 3972). While the peers +communicate over ordinary IPv4 addresses, they exchange traffic selectors based +on inner IPv6 CGA addresses. +

+

To establish trust in CGA addresses, the CGA plugin trust option is +set in strongswan.conf. To recognize the private use CGA parameters +certificate exchange, the peers exchange strongSwan vendor ID payloads. +

+

As the peers do not know the inner IPv6 CGA address of each other, they use +the narrowid plugin. The plugin futher narrows the allowed prefix to +the CGA each peer successfully authenticated. To enable narrowing for the +connection, the configs option is set accordingly in +strongswan.conf. diff --git a/testing/tests/ipv6/cga-narrowid/evaltest.dat b/testing/tests/ipv6/cga-narrowid/evaltest.dat new file mode 100644 index 0000000000..79d2cfd8b2 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::cga-tunnel.*ESTABLISHED::YES +sun:: ipsec status 2> /dev/null::cga-tunnel.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::cga-tunnel.*INSTALLED::YES +sun:: ipsec status 2> /dev/null::cga-tunnel.*INSTALLED::YES +moon::ping6 -c 1 fec2:\:3840:e1ae:500c:c55f::64 bytes from fec2:\:3840:e1ae:500c:c55f: icmp_seq=1::YES +sun::tcpdump::IP6 fec1:\:2c1d:3461:a532:ba48 > fec2:\:3840:e1ae:500c:c55f: ESP::YES +sun::tcpdump::IP6 fec2:\:3840:e1ae:500c:c55f > fec1:\:2c1d:3461:a532:ba48: ESP::YES diff --git a/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..4a8d1ce3ed --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn cga-tunnel + leftcert=cga:moon.cga + left=PH_IP_MOON + leftid=fec1::2c1d:3461:a532:ba48 + leftsubnet=fec1::2c1d:3461:a532:ba48 + right=PH_IP_SUN + rightid=%any + rightsubnet=fec2::/64 + auto=add diff --git a/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.d/certs/moon.cga b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.d/certs/moon.cga new file mode 100644 index 0000000000..4f88edfa34 Binary files /dev/null and b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/ipsec.d/certs/moon.cga differ diff --git a/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..3118c37f84 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga narrowid stroke kernel-netlink socket-default updown + + send_vendor_id = yes + + plugins { + cga { + trust = yes + } + narrowid { + configs = cga-tunnel + } + } +} diff --git a/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.conf new file mode 100644 index 0000000000..6e5411b379 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn cga-tunnel + leftcert=cga:sun.cga + left=PH_IP_SUN + leftid=fec2::3840:e1ae:500c:c55f + leftsubnet=fec2::3840:e1ae:500c:c55f + right=PH_IP_MOON + rightid=%any + rightsubnet=fec1::/64 + auto=add diff --git a/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.d/certs/sun.cga b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.d/certs/sun.cga new file mode 100644 index 0000000000..ac00d35bbc Binary files /dev/null and b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/ipsec.d/certs/sun.cga differ diff --git a/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..b0b57bf4da --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/hosts/sun/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga narrowid stroke kernel-netlink socket-default updown + + send_vendor_id = yes + + plugins { + cga { + trust = yes + } + narrowid { + configs = cga-tunnel + } + } + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ipv6/cga-narrowid/posttest.dat b/testing/tests/ipv6/cga-narrowid/posttest.dat new file mode 100644 index 0000000000..470bf46744 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::"ip addr del fec1:\:2c1d:3461:a532:ba48 dev eth1" +sun::"ip addr del fec2:\:3840:e1ae:500c:c55f dev eth1" diff --git a/testing/tests/ipv6/cga-narrowid/pretest.dat b/testing/tests/ipv6/cga-narrowid/pretest.dat new file mode 100644 index 0000000000..f0f472db8e --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/pretest.dat @@ -0,0 +1,7 @@ +moon::"ip addr add fec1:\:2c1d:3461:a532:ba48 dev eth1" +sun::"ip addr add fec2:\:3840:e1ae:500c:c55f dev eth1" +moon::ipsec start +sun::ipsec start +moon::expect-connection cga-tunnel +sun::expect-connection cga-tunnel +moon::ipsec up cga-tunnel diff --git a/testing/tests/ipv6/cga-narrowid/test.conf b/testing/tests/ipv6/cga-narrowid/test.conf new file mode 100644 index 0000000000..0133bf66a3 --- /dev/null +++ b/testing/tests/ipv6/cga-narrowid/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun"