diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-09-18 07:41:54 +0000 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-09-18 07:41:54 +0000 |
| commit | 957115957a805c62f80d08ef61760195b1bff37a (patch) | |
| tree | 5ac362ecb824fd1791f77e85a6fb9ada712d3bc2 /testing | |
| parent | f9aa9e2977b4415251ac011d202b4830af442134 (diff) | |
| download | strongswan-957115957a805c62f80d08ef61760195b1bff37a.tar.bz2 strongswan-957115957a805c62f80d08ef61760195b1bff37a.tar.xz | |
enabled firewall support
Diffstat (limited to 'testing')
36 files changed, 94 insertions, 32 deletions
diff --git a/testing/tests/ikev2/crl-revoked/description.txt b/testing/tests/ikev2/crl-revoked/description.txt index dcb6e5a90..b39c59c97 100644 --- a/testing/tests/ikev2/crl-revoked/description.txt +++ b/testing/tests/ikev2/crl-revoked/description.txt @@ -1,4 +1,4 @@ By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. <b>carol</b> initiates -the connection and presents a certificate that has been revoked by the -current CRL.Therefore the IKE negotiation fails +both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b> +initiates the connection and presents a certificate that has been revoked by the +current CRL causing the IKE negotiation to fail. diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt index 8024eb3d4..b2b70906f 100644 --- a/testing/tests/ikev2/crl-strict/description.txt +++ b/testing/tests/ikev2/crl-strict/description.txt @@ -1,2 +1,2 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on both roadwarrior <b>carol</b> and gateway <b>moon</b>. diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf index 7d720a81a..89597660f 100755 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn home left=PH_IP_CAROL leftnexthop=%direct leftcert=selfCert.der leftsendcert=never + leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightcert=peerCert.der - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf index 34da3d685..7e53917a6 100755 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn carol left=PH_IP_MOON @@ -16,8 +17,7 @@ conn carol leftcert=selfCert.der leftsendcert=never leftsubnet=10.1.0.0/16 + leftfirewall=yes right=%any rightcert=peerCert.der - keyexchange=ikev2 auto=add - diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat index 1e7441126..52b48b9ef 100644 --- a/testing/tests/ikev2/default-keys/posttest.dat +++ b/testing/tests/ikev2/default-keys/posttest.dat @@ -1,5 +1,9 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L moon::ipsec stop carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index 416ffcb9f..3e31e0e9e 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -1,4 +1,5 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null carol::rm /etc/ipsec.secrets carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt index 547fba754..6be21bf8f 100644 --- a/testing/tests/ikev2/host2host-cert/description.txt +++ b/testing/tests/ikev2/host2host-cert/description.txt @@ -1,3 +1,4 @@ A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. -The authentication is based on X.509 certificates. +The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf index e15faa133..5ace1ba64 100755 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf @@ -9,13 +9,14 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn host-host left=PH_IP_MOON leftnexthop=%direct leftcert=moonCert.pem leftid=@moon.strongswan.org + leftfirewall=yes right=PH_IP_SUN rightid=@sun.strongswan.org - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf index 311aa00ef..d127fda46 100755 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf @@ -9,13 +9,14 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn host-host left=PH_IP_SUN leftnexthop=%direct leftcert=sunCert.pem leftid=@sun.strongswan.org + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat index dff181797..52979508d 100644 --- a/testing/tests/ikev2/host2host-cert/posttest.dat +++ b/testing/tests/ikev2/host2host-cert/posttest.dat @@ -1,2 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L moon::ipsec stop sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat index 3cf9fe3d2..52a519698 100644 --- a/testing/tests/ikev2/host2host-cert/pretest.dat +++ b/testing/tests/ikev2/host2host-cert/pretest.dat @@ -1,3 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf index b544d3a63..7a5c3a2ca 100755 --- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -9,13 +9,14 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn host-host right=PH_IP_MOON rightnexthop=%direct rightcert=moonCert.pem rightid=@moon.strongswan.org + rightfirewall=yes left=PH_IP_SUN leftid=@sun.strongswan.org - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf index db1e72ab4..9add2f169 100755 --- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -9,13 +9,14 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn host-host right=PH_IP_SUN rightnexthop=%direct rightcert=sunCert.pem rightid=@sun.strongswan.org + rightfirewall=yes left=PH_IP_MOON leftid=@moon.strongswan.org - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat index dff181797..52979508d 100644 --- a/testing/tests/ikev2/host2host-swapped/posttest.dat +++ b/testing/tests/ikev2/host2host-swapped/posttest.dat @@ -1,2 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L moon::ipsec stop sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat index 3cf9fe3d2..52a519698 100644 --- a/testing/tests/ikev2/host2host-swapped/pretest.dat +++ b/testing/tests/ikev2/host2host-swapped/pretest.dat @@ -1,3 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-cert/description.txt b/testing/tests/ikev2/net2net-cert/description.txt index 15c9e6498..7eea9192f 100644 --- a/testing/tests/ikev2/net2net-cert/description.txt +++ b/testing/tests/ikev2/net2net-cert/description.txt @@ -1,4 +1,6 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>X.509 certificates</b>. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf index 8fdb45ec1..a3213b9bf 100755 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - + keyexchange=ikev2 + conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftfirewall=yes right=PH_IP_SUN rightid=@sun.strongswan.org rightsubnet=10.2.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf index 32697a87a..06bf64bd9 100755 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org leftsubnet=10.2.0.0/16 + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat index 684275cba..b434a9610 100644 --- a/testing/tests/ikev2/net2net-cert/posttest.dat +++ b/testing/tests/ikev2/net2net-cert/posttest.dat @@ -1,5 +1,9 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L moon::ipsec stop sun::ipsec stop -sun::rm /etc/ipsec.d/crls/* +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null moon::rm /etc/ipsec.d/crls/* +sun::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat index 75324a1d0..0cd81d154 100644 --- a/testing/tests/ikev2/net2net-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl sun::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl moon::ipsec start diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt index 7bd102e8b..323f09555 100644 --- a/testing/tests/ikev2/net2net-route/description.txt +++ b/testing/tests/ikev2/net2net-route/description.txt @@ -4,3 +4,6 @@ on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf. A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to <b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and leads to the automatic establishment of the subnet-to-subnet tunnel. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf index f456049fc..b805c0620 100755 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf @@ -17,6 +17,7 @@ conn net-net leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid=@moon.strongswan.org + leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf index 32697a87a..06bf64bd9 100755 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org leftsubnet=10.2.0.0/16 + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat index dff181797..52979508d 100644 --- a/testing/tests/ikev2/net2net-route/posttest.dat +++ b/testing/tests/ikev2/net2net-route/posttest.dat @@ -1,2 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L moon::ipsec stop sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat index 2665f4df6..2eef7de19 100644 --- a/testing/tests/ikev2/net2net-route/pretest.dat +++ b/testing/tests/ikev2/net2net-route/pretest.dat @@ -1,5 +1,5 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start moon::sleep 2 diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt index b2b897cb4..f5320685e 100644 --- a/testing/tests/ikev2/net2net-start/description.txt +++ b/testing/tests/ikev2/net2net-start/description.txt @@ -3,3 +3,6 @@ respectively, is automatically established by means of the setting <b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b> behind gateway <b>moon</b> pinging the client <b>bob</b> located behind gateway <b>sun</b>. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf index 66c77fdfe..a96cde351 100755 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf @@ -9,12 +9,12 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - leftnexthop=%direct keyexchange=ikev2 conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 + leftnexthop=%direct leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf index 32697a87a..ec127a487 100755 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf @@ -9,14 +9,16 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org leftsubnet=10.2.0.0/16 + leftnexthop=%direct + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat index dff181797..52979508d 100644 --- a/testing/tests/ikev2/net2net-start/posttest.dat +++ b/testing/tests/ikev2/net2net-start/posttest.dat @@ -1,2 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L moon::ipsec stop sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat index 334465b8f..6e41d5245 100644 --- a/testing/tests/ikev2/net2net-start/pretest.dat +++ b/testing/tests/ikev2/net2net-start/pretest.dat @@ -1,5 +1,5 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null sun::ipsec start sun::sleep 2 moon::ipsec start diff --git a/testing/tests/ikev2/rw-cert/description.txt b/testing/tests/ikev2/rw-cert/description.txt index 89fcecf75..15b3822b5 100644 --- a/testing/tests/ikev2/rw-cert/description.txt +++ b/testing/tests/ikev2/rw-cert/description.txt @@ -1,4 +1,6 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. -The authentication is based on <b>X.509 certificates</b>. -In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client -<b>alice</b> behind the gateway <b>moon</b>. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf index 473393014..a8eee1ffd 100755 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -15,6 +15,7 @@ conn home leftnexthop=%direct leftcert=carolCert.pem leftid=carol@strongswan.org + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf index 5d78605e9..1fb8203ce 100755 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -15,6 +15,7 @@ conn home leftnexthop=%direct leftcert=daveCert.pem leftid=dave@strongswan.org + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf index 9a4f1af99..655c7c44f 100755 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn rw leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftfirewall=yes right=%any keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat index 2a130b7bf..5f72643b4 100644 --- a/testing/tests/ikev2/rw-cert/posttest.dat +++ b/testing/tests/ikev2/rw-cert/posttest.dat @@ -1,6 +1,12 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L moon::ipsec stop carol::ipsec stop dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null moon::rm /etc/ipsec.d/crls/* carol::rm /etc/ipsec.d/crls/* dave::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat index b4340a759..d917ec4f8 100644 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -1,4 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl |