aboutsummaryrefslogtreecommitdiffstats
path: root/testing/tests/ikev2
diff options
context:
space:
mode:
authorAndreas Steffen <andreas.steffen@strongswan.org>2008-04-01 20:05:02 +0000
committerAndreas Steffen <andreas.steffen@strongswan.org>2008-04-01 20:05:02 +0000
commit158a62c326b654b3726349c43f712c5333f25f0b (patch)
treee0dfe18c6ce5aa99284aefd37e7631586c499771 /testing/tests/ikev2
parent372b7ac7e211ef34c889bbb2cdcd9473eabfcf28 (diff)
downloadstrongswan-158a62c326b654b3726349c43f712c5333f25f0b.tar.bz2
strongswan-158a62c326b654b3726349c43f712c5333f25f0b.tar.xz
adapted ikev2 uml scenarios for the 4.2 version
Diffstat (limited to 'testing/tests/ikev2')
-rw-r--r--testing/tests/ikev2/crl-from-cache/evaltest.dat14
-rw-r--r--testing/tests/ikev2/crl-ldap/evaltest.dat16
-rw-r--r--testing/tests/ikev2/crl-revoked/evaltest.dat5
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat15
-rw-r--r--testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat2
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/ocsp-local-cert/evaltest.dat12
-rw-r--r--testing/tests/ikev2/ocsp-multi-level/evaltest.dat6
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat7
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-revoked/evaltest.dat7
-rw-r--r--testing/tests/ikev2/ocsp-root-cert/evaltest.dat12
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/description.txt2
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/evaltest.dat17
-rwxr-xr-xtesting/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat16
-rwxr-xr-xtesting/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf3
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat5
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat8
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat1
-rw-r--r--testing/tests/ikev2/two-certs/evaltest.dat7
-rwxr-xr-xtesting/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf1
27 files changed, 115 insertions, 68 deletions
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
index 9aa53fb64..f15196024 100644
--- a/testing/tests/ikev2/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -1,8 +1,10 @@
-moon::cat /var/log/daemon.log::loading crl file::YES
-carol::cat /var/log/daemon.log::loading crl file::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/auth.log::written crl file::NO
-carol::cat /var/log/auth.log::written crl file::NO
+moon::cat /var/log/daemon.log::loaded crl file::YES
+moon::cat /var/log/daemon.log::crl is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec listcrls:: ok::YES
+carol::cat /var/log/daemon.log::loaded crl file::YES
+carol::cat /var/log/daemon.log::crl is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
carol::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
index 05e818e21..d98df8c7c 100644
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::loading crl file::YES
-carol::cat /var/log/daemon.log::loading crl file::YES
+moon::cat /var/log/daemon.log::loaded crl file::YES
moon::cat /var/log/daemon.log::crl is stale::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES
+moon::cat /var/log/daemon.log::crl is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::loaded crl file::YES
carol::cat /var/log/daemon.log::crl is stale::YES
-moon::cat /var/log/daemon.log::sending ldap request::YES
-carol::cat /var/log/daemon.log::sending ldap request::YES
+carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
+carol::cat /var/log/daemon.log::crl is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl file::YES
-carol::cat /var/log/daemon.log::written crl file::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 3d6cf72bb..2242746db 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,6 +1,5 @@
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES
-carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES
-moon::ipsec listcrls:: ok::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 00cafc130..ca0bdba44 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -1,11 +1,20 @@
-moon::cat /var/log/daemon.log::sending ldap request to::YES
-moon::cat /var/log/daemon.log::received valid ldap response::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
-
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 1e52d2273..3ac0adbb5 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,6 +1,4 @@
-moon::ipsec listcacerts --utc::status revoked on::YES
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES
moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::alice.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index 9b331f0a9..ef1beae7e 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,11 @@ config setup
strictcrlpolicy=yes
plutostart=no
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri=http://crl.strongswan.org/strongswan.crl
+ auto=add
+
conn %default
ikelifetime=60m
keylife=20m
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index 6cb0bd8ae..e4eafe966 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -1,12 +1,20 @@
+moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index e1ee6e8d6..d0240a333 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="cfg 2"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
index 6b849b811..c08a17943 100644
--- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -1,8 +1,12 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status from::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index 93d152f6b..768de938b 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,9 +1,9 @@
moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES
carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
-dave::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+dave::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::YES
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index f185536a6..939817d58 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,5 +1,6 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response verification failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
index c6d6235f9..1af117cf0 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
@@ -1,2 +1,3 @@
moon::ipsec stop
carol::ipsec stop
+moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
index d92333d86..afb64c3ed 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
@@ -1,3 +1,4 @@
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
moon::ipsec start
carol::ipsec start
carol::sleep 2
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
index eacb70c40..2c3196103 100644
--- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -1,6 +1,7 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::certificate was revoked on::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
index a3a1df194..5bb322acc 100644
--- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -1,6 +1,10 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::requesting ocsp status::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt
index 492a9882b..7c7efb68e 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt
@@ -4,7 +4,7 @@ is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer ce
issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
in an authority information access extension pointing to <b>winnetou</b>.
-Therefore no special ca section information is needed in ipsec.conf.
+Therefore no special ca section information is needed in moon's ipsec.conf.
<p>
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
index 4a8ffd412..f8bf0326a 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -1,13 +1,12 @@
-moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::requesting ocsp status::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index f8abd6b59..4011a6c17 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -5,6 +5,11 @@ config setup
strictcrlpolicy=yes
plutostart=no
+ca strongswan
+ cacert=strongswanCert.pem
+ ocspuri=http://ocsp.strongswan.org:8880
+ auto=add
+
conn %default
keyexchange=ikev2
ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 48f24aa8f..9f20ee81c 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,6 +1,7 @@
moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::NO
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
index 4c4059810..777c32699 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -1,9 +1,13 @@
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-carol::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::libcurl http request failed::YES
+carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES
+carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index d95a322bd..ff312cc6b 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -7,7 +7,8 @@ config setup
ca strongswan-ca
cacert=strongswanCert.pem
- ocspuri2=http://bob.strongswan.org:8800
+ ocspuri1=http://bob.strongswan.org:8800
+ ocspuri2=http://ocsp.strongswan.org:8880
auto=add
conn %default
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
index c9c09a72f..1b281507b 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -1,5 +1,6 @@
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index a0b6d681f..b47403756 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
+moon::cat /var/log/daemon.log::ocsp response verification failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
index c6d6235f9..1af117cf0 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
@@ -1,2 +1,3 @@
moon::ipsec stop
carol::ipsec stop
+moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
index d92333d86..afb64c3ed 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
@@ -1,3 +1,4 @@
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
moon::ipsec start
carol::ipsec start
carol::sleep 2
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index 3421c6e0f..0598e1fb2 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,6 +1,7 @@
-moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES
-moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES
-moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES
+moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES
+moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES
moon::ipsec statusall::carol.*ESTABLISHED::YES
moon::ipsec statusall::dave.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index eb6feb6e2..8800c7ad5 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="cfg 2"
crlcheckinterval=180
strictcrlpolicy=yes
plutostart=no
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 17:50:11 +0000