ikev2/rw-eap-tnc-11-radius scenario now uses a PA-TNC IMC/IMV pair

13 files changed, 49 insertions, 10 deletions

diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
index 7eebd3d4d..69ed1601d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
@@ -6,5 +6,6 @@ the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
 The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements exchanged
+via the <b>IF-M</b> (RFC 5792 PA-TNC) protocol, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/strongswan.conf
index e79fe2c92..323bc37d7 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/strongswan.conf
@@ -1 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  debug_level = 3 
+  plugins {
+    imv-test {
+      rounds = 1 
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
index a9509a716..1bd0757e7 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMV configuration file for TNC@FHH-TNC-Server
 
-IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
+IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
index f9a508a1d..a639b0426 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
index c12143cb1..f6dc2dcbc 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
@@ -4,3 +4,11 @@ charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
index a5a9a68f3..a39922ddb 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMC configuration file for strongSwan client 
 
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
index 74e0d1a56..5da78b4ab 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
index c12143cb1..0a132cae3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
@@ -4,3 +4,11 @@ charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
index a5a9a68f3..a39922ddb 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMC configuration file for strongSwan client 
 
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
index 56136f00f..b663661e3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
@@ -3,7 +3,7 @@ carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
 alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
 alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 radiusd
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config