diff options
Diffstat (limited to 'testing/tests/tnc/tnccs-20-tls')
14 files changed, 177 insertions, 104 deletions
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index fe1becb97..9d5cb066a 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf deleted file mode 100644 index eece9f294..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index 6c7ef551f..73f32424e 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..7898275dd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = carolCert.pem + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 362042656..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 67c3007f4..07df4c086 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..73c379cd2 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs =daveCert.pem + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0ec930286..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid="C=CH, O=Linux strongSwan, OU=*, CN=*" - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index a408b734e..7aef92f39 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imv = 2 + } + } plugins { eap-ttls { request_peer_auth = yes @@ -13,3 +26,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..99ef2c98c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index 85622034d..709a7714b 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -4,10 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-tls/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 |