From 616a626e029a860559fb4d09ff187b59533ff620 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Tue, 19 Jun 2018 00:06:35 +0200 Subject: [PATCH] testing: Added swanctl/rw-qske-l1 and swanctl/rw-qske-l5 scenarios --- testing/scripts/build-baseimage | 2 +- testing/scripts/recipes/011_liboqs.mk | 21 ++++++++++++ testing/scripts/recipes/013_strongswan.mk | 4 ++- .../tests/swanctl/rw-qske-l1/description.txt | 8 +++++ testing/tests/swanctl/rw-qske-l1/evaltest.dat | 10 ++++++ .../hosts/carol/etc/strongswan.conf | 17 ++++++++++ .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++++++++++++++++ .../rw-qske-l1/hosts/dave/etc/strongswan.conf | 17 ++++++++++ .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++++++++++++++++ .../rw-qske-l1/hosts/moon/etc/strongswan.conf | 22 +++++++++++++ .../hosts/moon/etc/swanctl/swanctl.conf | 32 +++++++++++++++++++ testing/tests/swanctl/rw-qske-l1/posttest.dat | 8 +++++ testing/tests/swanctl/rw-qske-l1/pretest.dat | 11 +++++++ testing/tests/swanctl/rw-qske-l1/test.conf | 25 +++++++++++++++ .../tests/swanctl/rw-qske-l5/description.txt | 8 +++++ testing/tests/swanctl/rw-qske-l5/evaltest.dat | 10 ++++++ .../hosts/carol/etc/strongswan.conf | 17 ++++++++++ .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++++++++++++++++ .../rw-qske-l5/hosts/dave/etc/strongswan.conf | 17 ++++++++++ .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++++++++++++++++ .../rw-qske-l5/hosts/moon/etc/strongswan.conf | 17 ++++++++++ .../hosts/moon/etc/swanctl/swanctl.conf | 32 +++++++++++++++++++ testing/tests/swanctl/rw-qske-l5/posttest.dat | 8 +++++ testing/tests/swanctl/rw-qske-l5/pretest.dat | 11 +++++++ testing/tests/swanctl/rw-qske-l5/test.conf | 25 +++++++++++++++ 25 files changed, 432 insertions(+), 2 deletions(-) create mode 100644 testing/scripts/recipes/011_liboqs.mk create mode 100755 testing/tests/swanctl/rw-qske-l1/description.txt create mode 100755 testing/tests/swanctl/rw-qske-l1/evaltest.dat create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l1/posttest.dat create mode 100755 testing/tests/swanctl/rw-qske-l1/pretest.dat create mode 100755 testing/tests/swanctl/rw-qske-l1/test.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/description.txt create mode 100755 testing/tests/swanctl/rw-qske-l5/evaltest.dat create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-qske-l5/posttest.dat create mode 100755 testing/tests/swanctl/rw-qske-l5/pretest.dat create mode 100755 testing/tests/swanctl/rw-qske-l5/test.conf diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 7c30758bfe..432e6a21a9 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -21,7 +21,7 @@ INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev -INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute +INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute,xsltproc case "$BASEIMGSUITE" in jessie) INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev diff --git a/testing/scripts/recipes/011_liboqs.mk b/testing/scripts/recipes/011_liboqs.mk new file mode 100644 index 0000000000..738e5029fa --- /dev/null +++ b/testing/scripts/recipes/011_liboqs.mk @@ -0,0 +1,21 @@ +#!/usr/bin/make + +PKG = liboqs +REV = nist-branch +ZIP = $(PKG)-$(REV).zip +SRC = https://github.com/open-quantum-safe/$(PKG)/archive/$(REV).zip + +all: install + +$(ZIP): + wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(ZIP) + +$(PKG)-$(REV): $(ZIP) + unzip $(ZIP) + +.$(PKG)-built-$(REV): $(PKG)-$(REV) + cd $(PKG)-$(REV) && make -j $(NUM_CPUS) + @touch $@ + +install: .$(PKG)-built-$(REV) + cd $(PKG)-$(REV) && PREFIX=/usr make install diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index e84d42094f..1482e2fd6e 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -106,7 +106,9 @@ CONFIG_OPTS = \ --enable-systemd \ --enable-counters \ --enable-save-keys \ - --enable-python-eggs-install + --enable-python-eggs-install \ + --enable-qske-newhope \ + --enable-oqs export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/tests/swanctl/rw-qske-l1/description.txt b/testing/tests/swanctl/rw-qske-l1/description.txt new file mode 100755 index 0000000000..551bfaefd7 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The IKEv2 hybrid key exchange is using the traditional Diffie-Hellman groups CURVE_25519 and +ECP_256_BP, respectively in a first round, followed by a Quantum-Save Key Exchange with the +lattice-based QSKE_NEWHOPE_L1 and isogeny-based QSKE_SIKE_L1 mechanisms, respectively. +

+Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously +increasing order. diff --git a/testing/tests/swanctl/rw-qske-l1/evaltest.dat b/testing/tests/swanctl/rw-qske-l1/evaltest.dat new file mode 100755 index 0000000000..2e4ec3271e --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..311d2e971b --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 curve25519 oqs hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a33438b8c5 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-x25519-qskenewhope1 + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..5d56431e89 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 pem pkcs1 x509 oqs revocation pubkey openssl curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..e9826303d7 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-ecp256bp-qskesike1 + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..954fdfbb92 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 curve25519 oqs pem pkcs1 x509 revocation constraints pubkey openssl test-vectors curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } + crypto_test { + on_add = yes + bench = yes + bench_time = 200 + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6fe768bf2a --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-x25519-ecp256bp-qskenewhope1-qskesike1 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/rw-qske-l1/posttest.dat b/testing/tests/swanctl/rw-qske-l1/posttest.dat new file mode 100755 index 0000000000..b909ac76c3 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-qske-l1/pretest.dat b/testing/tests/swanctl/rw-qske-l1/pretest.dat new file mode 100755 index 0000000000..dd1a17ccb9 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-qske-l1/test.conf b/testing/tests/swanctl/rw-qske-l1/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-qske-l5/description.txt b/testing/tests/swanctl/rw-qske-l5/description.txt new file mode 100755 index 0000000000..551bfaefd7 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The IKEv2 hybrid key exchange is using the traditional Diffie-Hellman groups CURVE_25519 and +ECP_256_BP, respectively in a first round, followed by a Quantum-Save Key Exchange with the +lattice-based QSKE_NEWHOPE_L1 and isogeny-based QSKE_SIKE_L1 mechanisms, respectively. +

+Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously +increasing order. diff --git a/testing/tests/swanctl/rw-qske-l5/evaltest.dat b/testing/tests/swanctl/rw-qske-l5/evaltest.dat new file mode 100755 index 0000000000..26cb3e8dfa --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_KYBER_L5.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_BIKE1_L5.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_KYBER_L5.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_BIKE1_L5.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..311d2e971b --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 curve25519 oqs hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..927fc8799a --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-x25519-qskekyber5 + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..5d56431e89 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 pem pkcs1 x509 oqs revocation pubkey openssl curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..9e0a1678c2 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-ecp256bp-qskebike15 + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..ebbacced88 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly mgf1 curve25519 oqs pem pkcs1 x509 revocation constraints pubkey openssl curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + syslog { + daemon { + default = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2560b10c0a --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128 + } + } + version = 2 + proposals = aes256-sha256-x25519-ecp256bp-qskekyber5-qskebike15 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/rw-qske-l5/posttest.dat b/testing/tests/swanctl/rw-qske-l5/posttest.dat new file mode 100755 index 0000000000..b909ac76c3 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-qske-l5/pretest.dat b/testing/tests/swanctl/rw-qske-l5/pretest.dat new file mode 100755 index 0000000000..dd1a17ccb9 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-qske-l5/test.conf b/testing/tests/swanctl/rw-qske-l5/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/swanctl/rw-qske-l5/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 -- 2.47.2