diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2008-04-01 20:05:02 +0000 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2008-04-01 20:05:02 +0000 |
commit | 158a62c326b654b3726349c43f712c5333f25f0b (patch) | |
tree | e0dfe18c6ce5aa99284aefd37e7631586c499771 /testing/tests/ikev2 | |
parent | 372b7ac7e211ef34c889bbb2cdcd9473eabfcf28 (diff) | |
download | strongswan-158a62c326b654b3726349c43f712c5333f25f0b.tar.bz2 strongswan-158a62c326b654b3726349c43f712c5333f25f0b.tar.xz |
adapted ikev2 uml scenarios for the 4.2 version
Diffstat (limited to 'testing/tests/ikev2')
27 files changed, 115 insertions, 68 deletions
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat index 9aa53fb64..f15196024 100644 --- a/testing/tests/ikev2/crl-from-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat @@ -1,8 +1,10 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/auth.log::written crl file::NO -carol::cat /var/log/auth.log::written crl file::NO +moon::cat /var/log/daemon.log::loaded crl file::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec listcrls:: ok::YES +carol::cat /var/log/daemon.log::loaded crl file::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*ESTABLISHED::YES +carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat index 05e818e21..d98df8c7c 100644 --- a/testing/tests/ikev2/crl-ldap/evaltest.dat +++ b/testing/tests/ikev2/crl-ldap/evaltest.dat @@ -1,12 +1,12 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES +moon::cat /var/log/daemon.log::loaded crl file::YES moon::cat /var/log/daemon.log::crl is stale::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::loaded crl file::YES carol::cat /var/log/daemon.log::crl is stale::YES -moon::cat /var/log/daemon.log::sending ldap request::YES -carol::cat /var/log/daemon.log::sending ldap request::YES +carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl file::YES -carol::cat /var/log/daemon.log::written crl file::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 3d6cf72bb..2242746db 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,6 +1,5 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES -carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES -moon::ipsec listcrls:: ok::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 00cafc130..ca0bdba44 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -1,11 +1,20 @@ -moon::cat /var/log/daemon.log::sending ldap request to::YES -moon::cat /var/log/daemon.log::received valid ldap response::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO - diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 1e52d2273..3ac0adbb5 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,6 +1,4 @@ -moon::ipsec listcacerts --utc::status revoked on::YES moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index 9b331f0a9..ef1beae7e 100755 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 6cb0bd8ae..e4eafe966 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -1,12 +1,20 @@ +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf index e1ee6e8d6..d0240a333 100755 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=no plutostart=no diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat index 6b849b811..c08a17943 100644 --- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat @@ -1,8 +1,12 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status from::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat index 93d152f6b..768de938b 100644 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat @@ -1,9 +1,9 @@ moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES -dave::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +dave::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::YES carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index f185536a6..939817d58 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index eacb70c40..2c3196103 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::certificate was revoked on::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat index a3a1df194..5bb322acc 100644 --- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat @@ -1,6 +1,10 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt index 492a9882b..7c7efb68e 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt @@ -4,7 +4,7 @@ is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer ce issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b> extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information access extension pointing to <b>winnetou</b>. -Therefore no special ca section information is needed in ipsec.conf. +Therefore no special ca section information is needed in moon's ipsec.conf. <p> <b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since the status of both certificates is <b>good</b>. diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index 4a8ffd412..f8bf0326a 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,13 +1,12 @@ -moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf index f8abd6b59..4011a6c17 100755 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + conn %default keyexchange=ikev2 ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 48f24aa8f..9f20ee81c 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index 4c4059810..777c32699 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,9 +1,13 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -carol::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES +moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::libcurl http request failed::YES +carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES +carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf index d95a322bd..ff312cc6b 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf @@ -7,7 +7,8 @@ config setup ca strongswan-ca cacert=strongswanCert.pem - ocspuri2=http://bob.strongswan.org:8800 + ocspuri1=http://bob.strongswan.org:8800 + ocspuri2=http://ocsp.strongswan.org:8880 auto=add conn %default diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index c9c09a72f..1b281507b 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index a0b6d681f..b47403756 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 3421c6e0f..0598e1fb2 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES +moon::cat /var/log/daemon.log::certificate was revoked::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES moon::ipsec statusall::carol.*ESTABLISHED::YES moon::ipsec statusall::dave.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index eb6feb6e2..8800c7ad5 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=yes plutostart=no |