diff options
Diffstat (limited to 'testing')
104 files changed, 1010 insertions, 214 deletions
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index 64b725536..9e5194ebc 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -18,3 +18,4 @@ V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongs V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org V 120224075857Z 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org V 120425210745Z 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org +V 140406120117Z 15 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index 12025d75c..64b725536 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -11,9 +11,10 @@ V 091231214318Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong V 100216084430Z 0B unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org R 140321062536Z 050621195214Z 0C unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 140321062916Z 0D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA -V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org +R 100607191714Z 070427213122Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 111007105811Z 10 unknown /C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org V 120224075857Z 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org +V 120425210745Z 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/15.pem b/testing/hosts/winnetou/etc/openssl/newcerts/15.pem new file mode 100644 index 000000000..4ebebba5a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/15.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c +6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH +8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1 +XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n +hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9 +0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/ +rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE +FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl +4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n +U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB +FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j +cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM +Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma +/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS +KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu +9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx +fmSZH0LzbAm+7XFrP71rBSJUaUI= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index 60d3b2f4a..b6a7d89c6 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -15 +16 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index 8351c1939..60d3b2f4a 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -14 +15 diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh index 22fce327c..917c972c7 100755 --- a/testing/scripts/function.sh +++ b/testing/scripts/function.sh @@ -83,3 +83,47 @@ function searchandreplace { rm -f "$TMPFILE" } + +############################################# +# add a bridge +# + +function umlbr_add { + brctl addbr "umlbr$1" + brctl setfd "umlbr$1" 0 + brctl setageing "umlbr$1" 3600 + brctl stp "umlbr$1" off + ifconfig "umlbr$1" "$2" netmask "$3" up +} + +############################################# +# delete a bridge +# + +function umlbr_del { + ifconfig "umlbr$1" down &> /dev/null 2>&1 + brctl delbr "umlbr$1" &> /dev/null 2>&1 +} + +############################################# +# add a tap interface to a bridge +# + +function umlbr_add_tap { + tunctl -t "tap$1_$2" &> /dev/null 2>&1 + ifconfig "tap$1_$2" 0.0.0.0 promisc up &> /dev/null 2>&1 + brctl addif "umlbr$1" "tap$1_$2" &> /dev/null 2>&1 + cecho-n "$2.." + } + +############################################# +# delete a tap interface from a bridge +# + +function umlbr_del_tap { + ifconfig "umlbr$2" down &> /dev/null 2>&1 + brctl delif "umlbr$1" "tap$1_$2" &> /dev/null 2>&1 + tunctl -d "tap$1_$2" &> /dev/null 2>&1 + cecho-n "$2.." + } + diff --git a/testing/scripts/start-bridges b/testing/scripts/start-bridges new file mode 100755 index 000000000..676f80951 --- /dev/null +++ b/testing/scripts/start-bridges @@ -0,0 +1,66 @@ +#!/bin/bash +# start the UML bridges in the kernel using the brctl command +# +# Copyright (C) 2009 Andreas Steffen +# HSR Hochschule fuer Technik Rapperswil +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: $ + +DIR=`dirname $0` + +source $DIR/function.sh + +# create umlbr1 and its taps +# +if [ `brctl show | grep umlbr1 | wc -l` -eq 1 ] +then + cecho " * Great, umlbr1 is already running!" +else + cecho-n " * Starting umlbr1 with taps.." + umlbr_add 1 10.1.0.254 255.255.0.0 + umlbr_add_tap 1 alice + umlbr_add_tap 1 venus + umlbr_add_tap 1 moon + cgecho "done" +fi + +# create umlbr0 and its taps +# +if [ `brctl show | grep umlbr0 | wc -l` -eq 1 ] +then + cecho " * Great, umlbr0 is already running!" +else + cecho-n " * Starting umlbr0 with taps.." + umlbr_add 0 192.168.0.254 255.255.255.0 + umlbr_add_tap 0 alice + umlbr_add_tap 0 moon + umlbr_add_tap 0 carol + umlbr_add_tap 0 winnetou + umlbr_add_tap 0 dave + umlbr_add_tap 0 sun + cgecho "done" +fi + +# create umlbr2 and its taps +# +if [ `brctl show | grep umlbr2 | wc -l` -eq 1 ] +then + cecho " * Great, umlbr2 is already running!" +else + cecho-n " * Starting umlbr2 with taps.." + umlbr_add 2 10.2.0.254 255.255.0.0 + umlbr_add_tap 2 sun + umlbr_add_tap 2 bob + cgecho "done" +fi + diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches deleted file mode 100755 index 1a6c9d8f6..000000000 --- a/testing/scripts/start-switches +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# starts the UML switches -# -# Copyright (C) 2004 Eric Marchionni, Patrik Rayo -# Zuercher Hochschule Winterthur -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id$ - -DIR=`dirname $0` - -source $DIR/function.sh - -[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" - -source $DIR/../testing.conf - -for n in 0 1 2 -do - if [ `ps aux | grep uml_switch | grep umlswitch$n | wc -l` -eq 1 ] - then - cecho " * Great, umlswitch$n is already running!" - else - cecho-n " * Starting umlswitch$n.." - uml_switch -tap tap$n -unix /tmp/umlswitch$n -daemon >/dev/null 2>&1 </dev/null - sleep 2 - eval ifconfig "tap$n \$IFCONFIG_$n up" - cgecho "done" - fi -done diff --git a/testing/scripts/stop-bridges b/testing/scripts/stop-bridges new file mode 100755 index 000000000..9633bfa55 --- /dev/null +++ b/testing/scripts/stop-bridges @@ -0,0 +1,51 @@ +#!/bin/bash +# stop the UML bridges in the kernel using the brctl command +# +# Copyright (C) 2009 Andreas Steffen +# HSR Hochschule fuer Technik Rapperswil +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: $ + +DIR=`dirname $0` + +source $DIR/function.sh + +# stop umlbr1 and its taps +# +cecho-n " * Stopping umlbr1 with taps.." +umlbr_del_tap 1 alice +umlbr_del_tap 1 venus +umlbr_del_tap 1 moon +umlbr_del 1 +cgecho "done" + +# stop umlbr0 and its taps +# +cecho-n " * Stopping umlbr0 with taps.." +umlbr_del_tap 0 alice +umlbr_del_tap 0 moon +umlbr_del_tap 0 carol +umlbr_del_tap 0 winnetou +umlbr_del_tap 0 dave +umlbr_del_tap 0 sun +umlbr_del 0 +cgecho "done" + +# stop umlbr2 and its taps +# +cecho-n " * Stopping umlbr2 with taps.." +umlbr_del_tap 2 sun +umlbr_del_tap 2 bob +umlbr_del 2 +cgecho "done" + diff --git a/testing/start-testing b/testing/start-testing index 53bf464a4..fb60bcc5c 100755 --- a/testing/start-testing +++ b/testing/start-testing @@ -33,10 +33,10 @@ else fi ##################################################### -# start the uml switches +# start the uml bridges # -cecho "Start the uml switches (scripts/start-switches)" -$DIR/scripts/start-switches +cecho "Start the uml bridges (scripts/start-bridges)" +$DIR/scripts/start-bridges ##################################################### diff --git a/testing/stop-testing b/testing/stop-testing index 5dc67af96..e12e975b2 100755 --- a/testing/stop-testing +++ b/testing/stop-testing @@ -42,10 +42,9 @@ done cgecho "done" ##################################################### -# Shutting down the uml switches +# Shutting down the uml bridhges # -cecho-n " * Stopping the UML switches.." -killall uml_switch &> /dev/null -rm -f /tmp/umlswitch[012] &> /dev/null 2>&1 -cgecho "done" +cecho "Stop the uml bridges (scripts/stop-bridges)" +$DIR/scripts/stop-bridges + diff --git a/testing/testing.conf b/testing/testing.conf index 11cb5a658..a9e15bc54 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -30,10 +30,10 @@ KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` KERNELCONFIG=$UMLTESTDIR/.config-2.6.29 # Bzipped uml patch for kernel -#UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2 +#UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.2.14.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.3.0.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -50,6 +50,7 @@ USE_OPENSSL="yes" USE_KERNEL_PFKEY="yes" USE_INTEGRITY_TEST="yes" USE_LEAK_DETECTIVE="yes" +USE_LOAD_TESTS="yes" # Gentoo linux root filesystem ROOTFS=$UMLTESTDIR/gentoo-fs-20090325.tar.bz2 @@ -74,7 +75,7 @@ TESTRESULTSDIR=$UMLTESTDIR/testresults # Path to a full strongswan tree on the host system, which is # mounted into /root/strongswan-shared. This gives us an easy # way to apply and test changes instantly. -SHAREDTREE=/home/martin/strongswan/trunk +#SHAREDTREE=/home/martin/strongswan/trunk # Timezone for the UMLs, look in /usr/share/zoneinfo! TZUML="Europe/Zurich" @@ -89,13 +90,13 @@ ENABLE_BUILD_HOSTCONFIG="yes" ENABLE_BUILD_UMLROOTFS="yes" ENABLE_BUILD_UMLHOSTFS="yes" ENABLE_START_TESTING="yes" -ENABLE_DO_TESTS="yes" +ENABLE_DO_TESTS="no" ENABLE_STOP_TESTING="no" ############################################################## # How to start the UMLs? # -# Start the UML instance in a KDE konsole (requires KDE) +# Start the UML instance in KDE konsole (requires KDE) # UMLSTARTMODE="konsole" # Start the UML instance in a gnome-terminal (requires gnome) UMLSTARTMODE="gnome-terminal" @@ -166,14 +167,14 @@ IFCONFIG_2="10.2.0.254 netmask 255.255.0.0" ############################################################## # Network interfaces of the UML instances # -SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1 \ - eth1=daemon,fe:fd:c0:a8:00:32,unix,/tmp/umlswitch0" -SWITCH_venus="eth0=daemon,fe:fd:0a:01:00:14,unix,/tmp/umlswitch1" -SWITCH_moon="eth0=daemon,fe:fd:c0:a8:00:01,unix,/tmp/umlswitch0 \ - eth1=daemon,fe:fd:0a:01:00:01,unix,/tmp/umlswitch1" -SWITCH_carol="eth0=daemon,fe:fd:c0:a8:00:64,unix,/tmp/umlswitch0" -SWITCH_winnetou="eth0=daemon,fe:fd:c0:a8:00:96,unix,/tmp/umlswitch0" -SWITCH_dave="eth0=daemon,fe:fd:c0:a8:00:c8,unix,/tmp/umlswitch0" -SWITCH_sun="eth0=daemon,fe:fd:c0:a8:00:02,unix,/tmp/umlswitch0 \ - eth1=daemon,fe:fd:0a:02:00:01,unix,/tmp/umlswitch2" -SWITCH_bob="eth0=daemon,fe:fd:0a:02:00:0a,unix,/tmp/umlswitch2" +SWITCH_alice="eth0=tuntap,tap1_alice,fe:fd:0a:01:00:0a \ + eth1=tuntap,tap0_alice,fe:fd:c0:a8:00:32" +SWITCH_venus="eth0=tuntap,tap1_venus,fe:fd:0a:01:00:14" +SWITCH_moon="eth0=tuntap,tap0_moon,fe:fd:c0:a8:00:01 \ + eth1=tuntap,tap1_moon,fe:fd:0a:01:00:01" +SWITCH_carol="eth0=tuntap,tap0_carol,fe:fd:c0:a8:00:64" +SWITCH_winnetou="eth0=tuntap,tap0_winnetou,fe:fd:c0:a8:00:96" +SWITCH_dave="eth0=tuntap,tap0_dave,fe:fd:c0:a8:00:c8" +SWITCH_sun="eth0=tuntap,tap0_sun,fe:fd:c0:a8:00:02 \ + eth1=tuntap,tap2_sun,fe:fd:0a:02:00:01" +SWITCH_bob="eth0=tuntap,tap2_bob,fe:fd:0a:02:00:0a" diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 016524dd9..c35a8019e 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -6,5 +6,5 @@ moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES moon::cat /var/log/auth.log::DPD: Restarting connection::YES -moon::sleep 5::no output expected::NO +moon::sleep 10::no output expected::NO moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat index 759295675..b266d86d8 100644 --- a/testing/tests/ikev1/protoport-route/evaltest.dat +++ b/testing/tests/ikev1/protoport-route/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES -carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES carol::ssh PH_IP_ALICE hostname::alice::YES carol::cat /var/log/auth.log::initiate on demand::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat index f233ad48f..b1fc81827 100644 --- a/testing/tests/ikev1/protoport-route/pretest.dat +++ b/testing/tests/ikev1/protoport-route/pretest.dat @@ -2,5 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start +carol::sleep 1 +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname +carol::ping -c 1 PH_IP_ALICE > /dev/null carol::sleep 2 -carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 2242746db..62ed8676a 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt new file mode 100644 index 000000000..3641d09ff --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b> +using multiple authentication exchanges (RFC 4739). In a first round +both <b>carol</b> and <b>moon</b> authenticate themselves by sending +an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<p> +In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i> +in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to +authenticate herself against the remote RADIUS server <b>alice</b>. +In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b> +are used instead of a physical SIM card on the client <b>carol</b>. +The gateway forwards all EAP messages to the RADIUS server <b>alice</b> +which also uses a static triplets file. +<p> +The roadwarrior <b>dave</b> also uses multiple authentication and succeeds +in the first round but sends wrong EAP-SIM triplets in the second round. +As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b> +message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat new file mode 100644 index 000000000..d64b3da7d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -0,0 +1,21 @@ +moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES +moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..a2020424e --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..d77b818fe --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,123 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf + sim_files { + simtriplets = "/etc/raddb/triplets.dat" + } +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..dfceb037d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,62 @@ +authorize { + preprocess + chap + mschap + sim_files + suffix + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat new file mode 100644 index 000000000..002ee94d1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat @@ -0,0 +1,7 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB +228060123456002,33000000000000000000000000000000,33112233,335566778899AABB +228060123456002,34000000000000000000000000000000,34112233,345566778899AABB +228060123456002,35000000000000000000000000000000,35112233,355566778899AABB + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..26cc0cd92 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftauth=pubkey + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftauth2=eap + leftid2=228060123456001@strongswan.org + eap_identity=228060123456001 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=pubkey + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..6a2aea811 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 40eb84b8a..cc451fc8d 100644 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..f8c52be78 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_DAVE + leftfirewall=yes + leftauth=pubkey + leftid=dave@strongswan.org + leftcert=daveCert.pem + leftauth2=eap + leftid2=228060123456002@strongswan.org + eap_identity=228060123456002 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=pubkey + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..b8b86c875 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456002,33000000000000000000000000000000,33112244,335566778899AABB +228060123456002,34000000000000000000000000000000,34112244,345566778899AABB +228060123456002,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..9031f323a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cc451fc8d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..37d23b1f5 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-mult + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + leftauth=pubkey + leftid=@moon.strongswan.org + leftcert=moonCert.pem + right=%any + rightauth=pubkey + rightid=*@strongswan.org + rightauth2=eap-radius + eap_identity=%any + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..10414b29a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown + plugins { + eap_radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat new file mode 100644 index 000000000..dbe56013a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat new file mode 100644 index 000000000..b3fd4cbf1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::cat /etc/raddb/clients.conf +alice::cat /etc/raddb/eap.conf +alice::cat /etc/raddb/proxy.conf +alice::cat /etc/raddb/triplets.dat +alice::/etc/init.d/radiusd start +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt index 0ace25731..602d026c2 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>, respectively. +the responders <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 12f0c95bf..4c84d183b 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -25,12 +25,12 @@ conn alice leftsubnet=PH_IP_ALICE/32 right=PH_IP_CAROL rightid=carol@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=PH_IP_DAVE rightid=dave@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt index b26c8c5d0..06f9f6b91 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>. +the initiators <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat index d2453bbee..4b827b4dd 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat @@ -7,6 +7,6 @@ moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::alice.*INSTALLED::YES dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status::venus.*INSTALLED::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index d0240a333..75138581e 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -24,11 +24,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 8656c8e3a..4a1c7208b 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat index c60f722ec..0b7b02801 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat @@ -1,4 +1,4 @@ moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::alice.*INSTALLED::NO moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 3ac0adbb5..182f9e0fc 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO carol::ipsec status::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt index 86cbbc58b..6467d5222 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/description.txt +++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt @@ -2,6 +2,6 @@ By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on all peers. The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and <b>venus</b> to anyone presenting a certificate belonging to a trust -chain anchored in strongSwan Root CA. Therefore both road warriors +chain anchored in the strongSwan Root CA. Therefore both road warriors <b>carol</b> and <b>dave</b>, holding certificates from the Research CA and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>. diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 8ba69ff9b..b0814556d 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index 939817d58..a0a045ce8 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 9f20ee81c..2e0f059c6 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES moon::cat /var/log/daemon.log::libcurl http request failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index b47403756..45c6ce7c5 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat index 7ce2bf147..7f083a05e 100644 --- a/testing/tests/ikev2/reauth-late/evaltest.dat +++ b/testing/tests/ikev2/reauth-late/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES carol::ipsec statusall::home\[2\].*ESTABLISHED::YES -carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, scheduling reauthentication in 3595s::YES carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES +carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index d5cbbdbf7..661e6cfe7 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,6 +1,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 5de841c03..e12643ef7 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 6c73054d7..2ee440cdb 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index 444362a86..5e8dce9cf 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index d8708d122..5b632bfe8 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,7 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES -moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES +moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt index 887d3f467..0531a559f 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt @@ -9,5 +9,5 @@ are used instead of a physical SIM card on the client <b>carol</b> and the gateway forwards all EAP messages to the RADIUS server <b>alice</b> which also uses static triplets. In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP -identity <b>232420100000015</b>. +identity <b>228060123456001</b>. diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index 4e7cbcc4c..4305a1400 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat index 2a750029f..c167ba940 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat @@ -1,3 +1,3 @@ -232420100000015,30000000000000000000000000000000,30112233,305566778899AABB -232420100000015,31000000000000000000000000000000,31112233,315566778899AABB -232420100000015,32000000000000000000000000000000,32112233,325566778899AABB +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf index 404589348..94186cfa9 100755 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf @@ -16,7 +16,7 @@ conn home leftnexthop=%direct leftid=carol@strongswan.org leftfirewall=yes - eap_identity=232420100000015 + eap_identity=228060123456001 right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index cd4b43cca..5fae7ecd5 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES @@ -8,7 +8,7 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::ipsec statusall::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt index 46ca8fec1..94ffaa487 100644 --- a/testing/tests/ikev2/two-certs/description.txt +++ b/testing/tests/ikev2/two-certs/description.txt @@ -1,6 +1,7 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each -to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b> -and a self-signed certificate for <b>dave</b> locally but gets actual certificates -as CERT payloads from both peers. The RSA signature verification process tries all -candidate peer certificates until it finds a valid one with a matching public key. +The roadwarrior <b>carol</b> possesses two different X.509 certificates plus +matching RSA private keys. With the first certificate <b>carol</b> authenticates +a tunnel connection to gateway <b>moon</b> in order to reach client <b>alice</b> +and presents the second certificate in order to reach client <b>venus</b> using +the identity <b>carol@strongswan.org</b> for both IKE security associations. +Therefore the RSA signature verification process on <b>moon</b> tries all +candidate peer certificates until it finds the correct RSA public key. diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 0598e1fb2..d32e32660 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,15 +1,12 @@ -moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES -moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES -moon::ipsec statusall::carol.*ESTABLISHED::YES -moon::ipsec statusall::dave.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES +moon::ipsec statusall::alice.*INSTALLED::YES +carol::ipsec statusall::alice.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon::ipsec statusall::venus.*INSTALLED::YES +carol::ipsec statusall::venus.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index bcdb8641b..9129f160b 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup crlcheckinterval=180 - strictcrlpolicy=no + strictcrlpolicy=yes plutostart=no conn %default @@ -10,14 +10,20 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - -conn home + keyexchange=ikev2 left=PH_IP_CAROL - leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 + +conn alice + leftcert=carolCert.pem + rightsubnet=10.1.0.10/32 + auto=add + +conn venus + leftcert=carolCert-002.pem + rightsubnet=10.1.0.20/32 auto=add + diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem new file mode 100644 index 000000000..4ebebba5a --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c +6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH +8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1 +XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n +hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9 +0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/ +rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE +FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl +4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n +U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB +FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j +cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM +Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma +/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS +KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu +9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx +fmSZH0LzbAm+7XFrP71rBSJUaUI= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem new file mode 100644 index 000000000..aec8e7a33 --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk +g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS +wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34 +mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f +U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m +yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ +u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y +EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP +/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y +UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0 +TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx +u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv +Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ +lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC +jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs +tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq +1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq +WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr +ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl +Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC +AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn +aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN +9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo +/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F +PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2181f94ce --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: RSA carolKey-002.pem diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index 8800c7ad5..a93ccbc9a 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -3,8 +3,14 @@ config setup crlcheckinterval=180 strictcrlpolicy=yes + uniqueids=no plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m @@ -13,19 +19,16 @@ conn %default left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightid=carol@strongswan.org keyexchange=ikev2 -conn carol - rightid=carol@strongswan.org - rightcert=carolRevokedCert.pem +conn alice + leftsubnet=10.1.0.10/32 auto=add -conn dave - rightid=dave@strongswan.org - rightcert=daveCert.der - rightca=%any +conn venus + leftsubnet=10.1.0.20/32 auto=add diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem deleted file mode 100644 index 5b742fc9e..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV -mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo -5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv -VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN -IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 -K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 -OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB -56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM -2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q -O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL -LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 -wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N -9IcgYi5x ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der Binary files differdeleted file mode 100644 index 6c4f37c27..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der +++ /dev/null diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat index 195065a5f..a1f067838 100644 --- a/testing/tests/ikev2/two-certs/posttest.dat +++ b/testing/tests/ikev2/two-certs/posttest.dat @@ -1,7 +1,6 @@ moon::ipsec stop carol::ipsec stop -dave::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index 42e9d7c24..716cf71e8 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -1,9 +1,8 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start -dave::ipsec start carol::sleep 1 -carol::ipsec up home -dave::ipsec up home +carol::ipsec up alice +carol::ipsec up venus +carol::sleep 1 diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf index 70416826e..d0306cd25 100644 --- a/testing/tests/ikev2/two-certs/test.conf +++ b/testing/tests/ikev2/two-certs/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +UMLHOSTS="alice venus moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d.png" +DIAGRAM="a-v-m-c-w-d.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol dave" +IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl/alg-blowfish/description.txt b/testing/tests/openssl/alg-blowfish/description.txt new file mode 100644 index 000000000..d30d9d2da --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b> +use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all +cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP +encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/alg-blowfish/evaltest.dat b/testing/tests/openssl/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..547e96734 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::IKE proposal: BLOWFISH-256::YES +carol::ipsec statusall::BLOWFISH-192.*,::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::IKE proposal: BLOWFISH-128::YES +dave::ipsec statusall::BLOWFISH-128.*,::YES +dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..62e181012 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048! + esp=blowfish192-sha256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e10230384 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/alg-blowfish/hosts/dave/etc/ipsec.conf index ea8bc92a7..26f3f3a04 100755 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -10,6 +10,9 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 + ike=blowfish128-sha256-modp1536! + esp=blowfish128-sha1! conn home left=PH_IP_DAVE @@ -19,5 +22,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/openssl/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/alg-blowfish/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..e10230384 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/openssl/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..31a00f7fb --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! + esp=blowfish192-sha256,blowfish128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1887f7607 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + dh_exponent_ansi_x9_42 = no + load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/openssl/alg-blowfish/posttest.dat b/testing/tests/openssl/alg-blowfish/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/alg-blowfish/pretest.dat b/testing/tests/openssl/alg-blowfish/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/alg-blowfish/test.conf b/testing/tests/openssl/alg-blowfish/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/alg-blowfish/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf index e10230384..1887f7607 100644 --- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + dh_exponent_ansi_x9_42 = no load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql index f160fe1d7..2ea4f598f 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -24,18 +24,6 @@ INSERT INTO identities ( 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); -INSERT INTO identities ( - type, data -) VALUES ( /* carol@strongswan.org as an EAP identity */ - 205, X'6361726f6c407374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* moon.strongswan.org as an EAP identity */ - 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - /* Certificates */ INSERT INTO certificates ( @@ -67,13 +55,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 5 + 1, 3 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 4 ); /* Configurations */ diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql index 153c454a9..5d262877f 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -32,14 +32,8 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* moon.strongswan.org as an EAP identity */ - 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* carol@strongswan.org as an EAP identity */ - 205, X'6361726f6c407374726f6e677377616e2e6f7267' +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); /* Certificates */ @@ -111,13 +105,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 3 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 7 + 1, 6 ); /* Configurations */ |