From: Andreas Steffen Date: Mon, 29 Oct 2018 11:34:26 +0000 (+0100) Subject: testing: Extended swanctl/rw-qske-l1 scenario X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fikev2-qske-notify;p=thirdparty%2Fstrongswan.git testing: Extended swanctl/rw-qske-l1 scenario --- diff --git a/testing/tests/swanctl/rw-qske-l1/description.txt b/testing/tests/swanctl/rw-qske-l1/description.txt index 551bfaefd7..197e7a0475 100755 --- a/testing/tests/swanctl/rw-qske-l1/description.txt +++ b/testing/tests/swanctl/rw-qske-l1/description.txt @@ -3,6 +3,6 @@ The IKEv2 hybrid key exchange is using the traditional Diffie-Hellman groups CUR ECP_256_BP, respectively in a first round, followed by a Quantum-Save Key Exchange with the lattice-based QSKE_NEWHOPE_L1 and isogeny-based QSKE_SIKE_L1 mechanisms, respectively.

-Both carol and dave request a virtual IP via the IKEv2 configuration payload. -The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously -increasing order. +The first CHILD_SA net1 is for the remote subnet 10.1.0.0/28. A second CHILD_SA net2 for the +remote subnet 10.1.0.16/28 is established using the QSKE mechanisms QSKE_KYBER_L1 and QSKE_FRODO_AES_L1 +by carol and dave, respectively. \ No newline at end of file diff --git a/testing/tests/swanctl/rw-qske-l1/evaltest.dat b/testing/tests/swanctl/rw-qske-l1/evaltest.dat index 2e4ec3271e..831f392d95 100755 --- a/testing/tests/swanctl/rw-qske-l1/evaltest.dat +++ b/testing/tests/swanctl/rw-qske-l1/evaltest.dat @@ -1,9 +1,11 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*local-vips=\[10.3.0.1] child-sas.*net1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/28].*net2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=CURVE_25519.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.16/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*local-vips=\[10.3.0.2] child-sas.*net1.*state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/28].*net2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=ECP_256_BP.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*remote-vips=\[10.3.0.1] child-sas.*net1.*reqid=1 state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/28] remote-ts=\[10.3.0.1/32].*net2.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=CURVE_25519.*local-ts=\[10.1.0.16/28] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*remote-vips=\[10.3.0.2] child-sas.*net1.*reqid=3 state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/28] remote-ts=\[10.3.0.2/32].*net2.*reqid=4 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=ECP_256_BP.*local-ts=\[10.1.0.16/28] remote-ts=\[10.3.0.2/32]::YES alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES +venus::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +venus::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf index a33438b8c5..20bcc03a00 100755 --- a/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf @@ -15,11 +15,15 @@ connections { id = moon.strongswan.org } children { - home { - remote_ts = 10.1.0.0/16 - + net1 { + remote_ts = 10.1.0.0/28 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-x25519-qskenewhope1 + } + net2 { + remote_ts = 10.1.0.16/28 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes256gcm128 + esp_proposals = aes256gcm128-x25519-qskekyber1 } } version = 2 diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf index e9826303d7..8dac6ee6c9 100755 --- a/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf @@ -15,11 +15,15 @@ connections { id = moon.strongswan.org } children { - home { - remote_ts = 10.1.0.0/16 - + net1 { + remote_ts = 10.1.0.0/28 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-ecp256bp-qskesike1 + } + net2 { + remote_ts = 10.1.0.16/28 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes256gcm128 + esp_proposals = aes256gcm128-ecp256bp-qskefrodoa1 } } version = 2 diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf index 6fe768bf2a..17b1c09bcf 100755 --- a/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf @@ -13,11 +13,17 @@ connections { auth = pubkey } children { - net { - local_ts = 10.1.0.0/16 + net1 { + local_ts = 10.1.0.0/28 updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes256gcm128 + esp_proposals = aes256gcm128-x25519-ecp256bp-qskenewhope1-qskesike1 + } + net2 { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-x25519-ecp256bp-qskekyber1-qskefrodoa1 } } version = 2 diff --git a/testing/tests/swanctl/rw-qske-l1/pretest.dat b/testing/tests/swanctl/rw-qske-l1/pretest.dat index dd1a17ccb9..72e029d791 100755 --- a/testing/tests/swanctl/rw-qske-l1/pretest.dat +++ b/testing/tests/swanctl/rw-qske-l1/pretest.dat @@ -6,6 +6,8 @@ carol::systemctl start strongswan-swanctl dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +carol::swanctl --initiate --child net1 2> /dev/null +carol::swanctl --initiate --child net2 2> /dev/null dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child net1 2> /dev/null +dave::swanctl --initiate --child net2 2> /dev/null