diff options
Diffstat (limited to 'testing/tests/ikev2')
75 files changed, 634 insertions, 125 deletions
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 2242746db..62ed8676a 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt new file mode 100644 index 000000000..3641d09ff --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b> +using multiple authentication exchanges (RFC 4739). In a first round +both <b>carol</b> and <b>moon</b> authenticate themselves by sending +an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<p> +In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i> +in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to +authenticate herself against the remote RADIUS server <b>alice</b>. +In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b> +are used instead of a physical SIM card on the client <b>carol</b>. +The gateway forwards all EAP messages to the RADIUS server <b>alice</b> +which also uses a static triplets file. +<p> +The roadwarrior <b>dave</b> also uses multiple authentication and succeeds +in the first round but sends wrong EAP-SIM triplets in the second round. +As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b> +message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat new file mode 100644 index 000000000..d64b3da7d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -0,0 +1,21 @@ +moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES +moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..a2020424e --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..d77b818fe --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,123 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf + sim_files { + simtriplets = "/etc/raddb/triplets.dat" + } +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..dfceb037d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,62 @@ +authorize { + preprocess + chap + mschap + sim_files + suffix + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat new file mode 100644 index 000000000..002ee94d1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat @@ -0,0 +1,7 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB +228060123456002,33000000000000000000000000000000,33112233,335566778899AABB +228060123456002,34000000000000000000000000000000,34112233,345566778899AABB +228060123456002,35000000000000000000000000000000,35112233,355566778899AABB + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..26cc0cd92 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftauth=pubkey + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftauth2=eap + leftid2=228060123456001@strongswan.org + eap_identity=228060123456001 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=pubkey + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..6a2aea811 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 40eb84b8a..cc451fc8d 100644 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown } diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf index ea8bc92a7..f8c52be78 100755 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no plutostart=no conn %default @@ -10,14 +8,20 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 + authby=eap conn home left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org leftfirewall=yes + leftauth=pubkey + leftid=dave@strongswan.org + leftcert=daveCert.pem + leftauth2=eap + leftid2=228060123456002@strongswan.org + eap_identity=228060123456002 right=PH_IP_MOON - rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 + rightauth=pubkey + rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..b8b86c875 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456002,33000000000000000000000000000000,33112244,335566778899AABB +228060123456002,34000000000000000000000000000000,34112244,345566778899AABB +228060123456002,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..9031f323a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cc451fc8d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..37d23b1f5 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-mult + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + leftauth=pubkey + leftid=@moon.strongswan.org + leftcert=moonCert.pem + right=%any + rightauth=pubkey + rightid=*@strongswan.org + rightauth2=eap-radius + eap_identity=%any + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..10414b29a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown + plugins { + eap_radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat new file mode 100644 index 000000000..dbe56013a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat new file mode 100644 index 000000000..b3fd4cbf1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::cat /etc/raddb/clients.conf +alice::cat /etc/raddb/eap.conf +alice::cat /etc/raddb/proxy.conf +alice::cat /etc/raddb/triplets.dat +alice::/etc/init.d/radiusd start +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt index 0ace25731..602d026c2 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>, respectively. +the responders <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 12f0c95bf..4c84d183b 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -25,12 +25,12 @@ conn alice leftsubnet=PH_IP_ALICE/32 right=PH_IP_CAROL rightid=carol@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=PH_IP_DAVE rightid=dave@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt index b26c8c5d0..06f9f6b91 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>. +the initiators <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat index d2453bbee..4b827b4dd 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat @@ -7,6 +7,6 @@ moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::alice.*INSTALLED::YES dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status::venus.*INSTALLED::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index d0240a333..75138581e 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -24,11 +24,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 8656c8e3a..4a1c7208b 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat index c60f722ec..0b7b02801 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat @@ -1,4 +1,4 @@ moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::alice.*INSTALLED::NO moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 3ac0adbb5..182f9e0fc 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO carol::ipsec status::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt index 86cbbc58b..6467d5222 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/description.txt +++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt @@ -2,6 +2,6 @@ By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on all peers. The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and <b>venus</b> to anyone presenting a certificate belonging to a trust -chain anchored in strongSwan Root CA. Therefore both road warriors +chain anchored in the strongSwan Root CA. Therefore both road warriors <b>carol</b> and <b>dave</b>, holding certificates from the Research CA and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>. diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 8ba69ff9b..b0814556d 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index 939817d58..a0a045ce8 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 9f20ee81c..2e0f059c6 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES moon::cat /var/log/daemon.log::libcurl http request failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index b47403756..45c6ce7c5 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat index 7ce2bf147..7f083a05e 100644 --- a/testing/tests/ikev2/reauth-late/evaltest.dat +++ b/testing/tests/ikev2/reauth-late/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES carol::ipsec statusall::home\[2\].*ESTABLISHED::YES -carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, scheduling reauthentication in 3595s::YES carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES +carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index d5cbbdbf7..661e6cfe7 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,6 +1,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 5de841c03..e12643ef7 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 6c73054d7..2ee440cdb 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index 444362a86..5e8dce9cf 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index d8708d122..5b632bfe8 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,7 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES -moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES +moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt index 887d3f467..0531a559f 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt @@ -9,5 +9,5 @@ are used instead of a physical SIM card on the client <b>carol</b> and the gateway forwards all EAP messages to the RADIUS server <b>alice</b> which also uses static triplets. In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP -identity <b>232420100000015</b>. +identity <b>228060123456001</b>. diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index 4e7cbcc4c..4305a1400 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat index 2a750029f..c167ba940 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat @@ -1,3 +1,3 @@ -232420100000015,30000000000000000000000000000000,30112233,305566778899AABB -232420100000015,31000000000000000000000000000000,31112233,315566778899AABB -232420100000015,32000000000000000000000000000000,32112233,325566778899AABB +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf index 404589348..94186cfa9 100755 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf @@ -16,7 +16,7 @@ conn home leftnexthop=%direct leftid=carol@strongswan.org leftfirewall=yes - eap_identity=232420100000015 + eap_identity=228060123456001 right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index cd4b43cca..5fae7ecd5 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES @@ -8,7 +8,7 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::ipsec statusall::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt index 46ca8fec1..94ffaa487 100644 --- a/testing/tests/ikev2/two-certs/description.txt +++ b/testing/tests/ikev2/two-certs/description.txt @@ -1,6 +1,7 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each -to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b> -and a self-signed certificate for <b>dave</b> locally but gets actual certificates -as CERT payloads from both peers. The RSA signature verification process tries all -candidate peer certificates until it finds a valid one with a matching public key. +The roadwarrior <b>carol</b> possesses two different X.509 certificates plus +matching RSA private keys. With the first certificate <b>carol</b> authenticates +a tunnel connection to gateway <b>moon</b> in order to reach client <b>alice</b> +and presents the second certificate in order to reach client <b>venus</b> using +the identity <b>carol@strongswan.org</b> for both IKE security associations. +Therefore the RSA signature verification process on <b>moon</b> tries all +candidate peer certificates until it finds the correct RSA public key. diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 0598e1fb2..d32e32660 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,15 +1,12 @@ -moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES -moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES -moon::ipsec statusall::carol.*ESTABLISHED::YES -moon::ipsec statusall::dave.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES +moon::ipsec statusall::alice.*INSTALLED::YES +carol::ipsec statusall::alice.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon::ipsec statusall::venus.*INSTALLED::YES +carol::ipsec statusall::venus.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index bcdb8641b..9129f160b 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup crlcheckinterval=180 - strictcrlpolicy=no + strictcrlpolicy=yes plutostart=no conn %default @@ -10,14 +10,20 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - -conn home + keyexchange=ikev2 left=PH_IP_CAROL - leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 + +conn alice + leftcert=carolCert.pem + rightsubnet=10.1.0.10/32 + auto=add + +conn venus + leftcert=carolCert-002.pem + rightsubnet=10.1.0.20/32 auto=add + diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem new file mode 100644 index 000000000..4ebebba5a --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c +6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH +8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1 +XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n +hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9 +0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/ +rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE +FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl +4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n +U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB +FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j +cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM +Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma +/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS +KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu +9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx +fmSZH0LzbAm+7XFrP71rBSJUaUI= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem new file mode 100644 index 000000000..aec8e7a33 --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk +g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS +wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34 +mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f +U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m +yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ +u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y +EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP +/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y +UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0 +TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx +u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv +Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ +lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC +jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs +tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq +1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq +WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr +ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl +Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC +AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn +aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN +9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo +/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F +PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2181f94ce --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: RSA carolKey-002.pem diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index 8800c7ad5..a93ccbc9a 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -3,8 +3,14 @@ config setup crlcheckinterval=180 strictcrlpolicy=yes + uniqueids=no plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m @@ -13,19 +19,16 @@ conn %default left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightid=carol@strongswan.org keyexchange=ikev2 -conn carol - rightid=carol@strongswan.org - rightcert=carolRevokedCert.pem +conn alice + leftsubnet=10.1.0.10/32 auto=add -conn dave - rightid=dave@strongswan.org - rightcert=daveCert.der - rightca=%any +conn venus + leftsubnet=10.1.0.20/32 auto=add diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem deleted file mode 100644 index 5b742fc9e..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV -mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo -5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv -VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN -IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 -K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 -OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB -56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM -2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q -O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL -LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 -wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N -9IcgYi5x ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der Binary files differdeleted file mode 100644 index 6c4f37c27..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der +++ /dev/null diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat index 195065a5f..a1f067838 100644 --- a/testing/tests/ikev2/two-certs/posttest.dat +++ b/testing/tests/ikev2/two-certs/posttest.dat @@ -1,7 +1,6 @@ moon::ipsec stop carol::ipsec stop -dave::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index 42e9d7c24..716cf71e8 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -1,9 +1,8 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start -dave::ipsec start carol::sleep 1 -carol::ipsec up home -dave::ipsec up home +carol::ipsec up alice +carol::ipsec up venus +carol::sleep 1 diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf index 70416826e..d0306cd25 100644 --- a/testing/tests/ikev2/two-certs/test.conf +++ b/testing/tests/ikev2/two-certs/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +UMLHOSTS="alice venus moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d.png" +DIAGRAM="a-v-m-c-w-d.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol dave" +IPSECHOSTS="moon carol" |