diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-03-10 08:02:44 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-03-10 13:59:37 +0100 |
commit | 90ef7e8af61ca85a3c02cae086f1f110e3088fbb (patch) | |
tree | 7cb18e7959041562683ee172af2b40eb751caf51 /testing/tests | |
parent | 1d86d1d65af61f123269f0c09bfd5039af7b63ab (diff) | |
download | strongswan-90ef7e8af61ca85a3c02cae086f1f110e3088fbb.tar.bz2 strongswan-90ef7e8af61ca85a3c02cae086f1f110e3088fbb.tar.xz |
Updated swanctl/rw-psk-ikev1 scenario
Diffstat (limited to 'testing/tests')
5 files changed, 36 insertions, 28 deletions
diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/swanctl/rw-psk-ikev1/description.txt index 438a2f338..73aac6fe6 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/description.txt +++ b/testing/tests/swanctl/rw-psk-ikev1/description.txt @@ -1,10 +1,15 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each -to gateway <b>moon</b>. The authentication is based on two <b>pre-shared keys</b> -bound to the two distinct gateway identities <b>moon1.strongswan.org</b> and -<b>moon2.strongswan.org</b>. On the gateway these two identities are bound to -two disjoint sets of client IP address ranges which allows IKEv1 Main Mode -to select the correct connection definition and via the gateway identity the -correct PSK. +to gateway <b>moon</b>. The IKEv1 main mode authentication is based on +<b>pre-shared keys</b> and <b>IPv4 address</b> identities. +On the gateway two connections with differing parameters are defined: +One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from +the range <b>192.168.0.150-192.168.0.200</b>. +<p/> +On the gateway for different shared keys are defined for the following +hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>, +<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and +<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b> +the fourth PSK. <p/> Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat index 0fcf54241..96d74c877 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat @@ -1,11 +1,13 @@ +dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES +moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32] moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf index cedb76619..dcfcd0b4e 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -6,11 +6,9 @@ connections { local { auth = psk - id = carol@strongswan.org } remote { auth = psk - id = moon1.strongswan.org } children { home { @@ -27,10 +25,9 @@ connections { secrets { - ike-moon1 { - id = moon1.strongswan.org + ike-moon { + id = 192.168.0.1 # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx secret = 0x16964066a10de938bdb2ab7864fe4459cab1 } } - diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf index 6ea10576f..8cd79ea20 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -6,15 +6,13 @@ connections { local { auth = psk - id = dave@strongswan.org } remote { auth = psk - id = moon2.strongswan.org } children { home { - remote_ts = 10.1.0.16/28 + remote_ts = 10.1.0.17-10.1.0.20 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes192gcm128-modp3072 @@ -27,8 +25,8 @@ connections { secrets { - ike-moon2 { - id = moon2.strongswan.org + ike-moon { + id = 192.168.0.1 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf index 30870be31..be1bf8afe 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -6,7 +6,6 @@ connections { local { auth = psk - id = moon1.strongswan.org } remote { auth = psk @@ -25,18 +24,17 @@ connections { rw-2 { local_addrs = 192.168.0.1 - remote_addrs = 192.168.0.192/28 + remote_addrs = 192.168.0.150-192.168.0.200 local { auth = psk - id = moon2.strongswan.org } remote { auth = psk } children { net-2 { - local_ts = 10.1.0.16/28 + local_ts = 10.1.0.17-10.1.0.20 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes192gcm128-modp3072 @@ -50,12 +48,20 @@ connections { secrets { - ike-moon1 { - id = moon1.strongswan.org + ike-any { + id = 0.0.0.0/0 0::0/0 + secret = 0soBAJZLI7Bwwi61Rl113FqD/3 + } + ike-rw-1 { + id = 192.168.0.96/28 secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx } - ike-moon2 { - id = moon2.strongswan.org + ike-rw-2 { + id = 192.168.0.150-192.168.0.200 + secret = 0s8qPdxyhDeGfk1l211cS8urXc + } + ike-dave { + id = 192.168.0.200 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } |