testing: Adapt tests to retransmission settings and reduce DPD delay/timeout

author: Tobias Brunner <tobias@strongswan.org> 2015-11-05 14:55:14 +0100
committer: Tobias Brunner <tobias@strongswan.org> 2015-11-09 15:18:34 +0100
commit: f36b6d49af0833bdb8134683c336416836de20f9 (patch)
tree: a348ebf58ae53cbb65a7b9f0e7622ba4b5cb8ccb /testing/tests/ikev2
parent: 50a43fbb974b49ae24ff79cb0739e609baf1f839 (diff)
download: strongswan-f36b6d49af0833bdb8134683c336416836de20f9.tar.bz2
strongswan-f36b6d49af0833bdb8134683c336416836de20f9.tar.xz
9 files changed, 15 insertions, 19 deletions
diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt
index 7f62dc576..0fb2f1064 100644
--- a/testing/tests/ikev2/dpd-clear/description.txt
+++ b/testing/tests/ikev2/dpd-clear/description.txt
@@ -1,5 +1,5 @@
 The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
 which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
 When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
 
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat
index c1a271903..2071e8fc8 100644
--- a/testing/tests/ikev2/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -1,8 +1,8 @@
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: sleep 180::no output expected::NO
+moon:: sleep 13::no output expected::NO
 moon:: cat /var/log/daemon.log::sending DPD request::YES
 moon:: cat /var/log/daemon.log::retransmit.*of request::YES
-moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat
index 4c035a6e9..c7514fafe 100644
--- a/testing/tests/ikev2/dpd-hold/evaltest.dat
+++ b/testing/tests/ikev2/dpd-hold/evaltest.dat
@@ -2,13 +2,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::ping -c 1 PH_IP_ALICE::trigger route::NO
-carol::sleep 2::no output expected::NO
+carol::sleep 1::no output expected::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat
index 962bd0636..744307998 100644
--- a/testing/tests/ikev2/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::sleep 10::no output expected::NO
+carol::sleep 1::no output expected::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt
index e74ee1569..3e441b2fe 100644
--- a/testing/tests/ikev2/dynamic-initiator/description.txt
+++ b/testing/tests/ikev2/dynamic-initiator/description.txt
@@ -1,12 +1,12 @@
 The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The IKE daemon resolves the
 fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
 /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary
+<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary
 IP address under the condition that the peer identity remains unchanged. When this happens
 the old tunnel is replaced by an IPsec connection to the new origin.
 <p>
 In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
 suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
 old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index 221c59318..28c403b55 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,7 +1,7 @@
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::sleep 15::NO
+carol::sleep 11::NO
 carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
index 9ee5db95b..ad7de9ecc 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt
+++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
@@ -6,5 +6,5 @@ OCSP server is listening. Thanks to timeouts the connection can nevertheless
 be established successfully by contacting a valid OCSP URI contained in
 <b>carol</b>'s certificate.
 <p>
-As an additional test the OCSP response is delayed by 5 seconds in order to check
+As an additional test the OCSP response is delayed by a few seconds in order to check
 the correct handling of retransmitted IKE_AUTH messages.
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index aa70321d5..46a716f83 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,7 +6,7 @@ echo "Content-type: application/ocsp-response"
 echo ""
 
 # simulate a delayed response
-sleep 5
+sleep 2
 
 cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
 	-rkey ocspKey.pem -rsigner ocspCert.pem \
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
index 2b80853c6..094e0effa 100644
--- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,4 @@
 
 charon {
   load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-
-  retransmit_timeout = 2
-  retransmit_base = 1.5
-  retransmit_tries = 3 
 }
author	Tobias Brunner <tobias@strongswan.org>	2015-11-05 14:55:14 +0100
committer	Tobias Brunner <tobias@strongswan.org>	2015-11-09 15:18:34 +0100
commit	f36b6d49af0833bdb8134683c336416836de20f9 (patch)
tree	a348ebf58ae53cbb65a7b9f0e7622ba4b5cb8ccb /testing/tests/ikev2
parent	50a43fbb974b49ae24ff79cb0739e609baf1f839 (diff)
download	strongswan-f36b6d49af0833bdb8134683c336416836de20f9.tar.bz2 strongswan-f36b6d49af0833bdb8134683c336416836de20f9.tar.xz