diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-02-28 22:25:50 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-02-28 22:25:50 +0100 |
commit | efefa0c6a1e0168508d26d48d04b9b1d5da9b3b7 (patch) | |
tree | e4d736074a0feca3971197c322fb625a48e44e52 /testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc | |
parent | 13891e2a4f1ec7444827234eb9f58c83df32ebcc (diff) | |
download | strongswan-efefa0c6a1e0168508d26d48d04b9b1d5da9b3b7.tar.bz2 strongswan-efefa0c6a1e0168508d26d48d04b9b1d5da9b3b7.tar.xz |
testing: Added swanctl/shunt-policies-nat-rw
Diffstat (limited to 'testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc')
3 files changed, 67 insertions, 0 deletions
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..38794af25 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2f21d4a9b --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + pools = rw_pool + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} |