diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-08-15 11:13:41 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-08-15 11:13:41 +0200 |
commit | d662a7ffad9061248cc954845415af6b17f0512c (patch) | |
tree | a4e1ece31937f7fc6cca3f1fefca902106e8eab1 /testing/tests/ikev2/rw-eap-ttls-radius | |
parent | eb4c9c609cf45c9d38707c801e5da8022451b2a0 (diff) | |
download | strongswan-d662a7ffad9061248cc954845415af6b17f0512c.tar.bz2 strongswan-d662a7ffad9061248cc954845415af6b17f0512c.tar.xz |
included bad case in ikev2/rw-eap-ttls-radius scenario
Diffstat (limited to 'testing/tests/ikev2/rw-eap-ttls-radius')
9 files changed, 59 insertions, 11 deletions
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt index 0dd19fd7d..299106b32 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt @@ -1,7 +1,8 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 <b>RSA signature</b> accompanied by a certificate. -<b>carol</b> then sets up an <b>EAP-TTLS</b> tunnel via <b>moon</b> to +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication -based on <b>EAP-MD5</b>. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the +wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index 0bc2bd2c5..d7f372a89 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -3,9 +3,16 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users index 247b918e3..50ccf3e76 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users @@ -1 +1,2 @@ carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..c581d1bf6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="ike 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..378bdc540 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index 920d6a20d..dbe56013a 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,5 +1,7 @@ moon::ipsec stop carol::ipsec stop +dave::ipsec stop alice::/etc/init.d/radiusd stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index 266d0f593..f329c99a5 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,9 +1,14 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null alice::cat /etc/raddb/eap.conf +alice::cat /etc/raddb/proxy.conf +alice::cat /etc/raddb/users alice::/etc/init.d/radiusd start moon::ipsec start carol::ipsec start +dave::ipsec start carol::sleep 1 carol::ipsec up home -carol::sleep 1 +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf index 2bd21499b..5959cfcf4 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice carol moon" +UMLHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w-d.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" |