diff options
Diffstat (limited to 'testing')
81 files changed, 1057 insertions, 14 deletions
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.key b/testing/hosts/winnetou/etc/bind/K.+008+32329.key new file mode 100644 index 000000000..9f4e5ea5d --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 32329, for . +; Created: 20130213194956 (Wed Feb 13 20:49:56 2013) +; Publish: 20130213194956 (Wed Feb 13 20:49:56 2013) +; Activate: 20130213194956 (Wed Feb 13 20:49:56 2013) +. IN DNSKEY 257 3 8 AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO O9fOgGnjzAk= diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.private b/testing/hosts/winnetou/etc/bind/K.+008+32329.private new file mode 100644 index 000000000..8ad5cd6ae --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: tyyRqtq0WC+C9eXRs2rgjjdkHN32Nieg+qwhwDRqGpeVRNRr5zZfM3aZLsMZwjhnkaf7y/8iHiVAlCuV/0j9zYeOigICwrVsDlxFLYOJT5svoZ7Scu2805/gLQwcYutZwM42DlCgvQ5wW8xe5S068OSggx218NgNJzET29KiRz3xLHnnf8xPGmyxd4z2L45q4aqiEhlT4xVF1bC8k+J4IvsxrhsC22Ab4pJtDLvH+pc8hKirPAZC8LGwv3d+8P9ymn4rOKoDSgf4N+vK9zmdZ0J2triBjPtYIUXBxjU9bo9svmJ7iOeOXdZbGim7NPjocpE7EOET4U47186AaePMCQ== +PublicExponent: AQAB +PrivateExponent: cOOQ6uFa4DZ32aBHuvGVb1CH7JqHER0fQx4utswW0Ei3f/IChj6mMYtYIM+w4lfszIHg1vpoRnfi8u5hxTFw6egvWrKejO1OqRMIt2Inj94uXscJIDeQdkRD3r9mBzjQ2di8y9m5For9iDXODiPv/WKJ4gS/iq08ffjrKkEILirduFpG+EcopBy4MJeAMAkATkRsATEHgEbyqulP7gMwAnQ6vXFbTybfZQWWSgANabGikKMmGroJMChBGJ2Q9c7mHVpXu2IhMqYRKHWmBA5v/OrEc21dNxRGXsZuq+iu3P8o5MLHgX6YDB9nB3OVb47Prg/BxHYdQid2PwX0A0qZeQ== +Prime1: 2ovikMXe1sTJ2xYPHgofDMmDXUwgpHu/nsCbdDHhyHIMllLXWsefuAFGQug/DDDg69oZGhNkah53uU9XAEyy6uiFJKgnzBTqCg+QmuZnuiuiQ4QjZ/g2x6R2MvzTZLOAQOaOLA3GVsgOh5msyO1kaatES4m2Pbp3xF6CYkhVRlc= +Prime2: 1pDSXUoE/dwWCebwJHyKLQ3RSGn1o3EHeKZKnqZpABMSPs7imeoVQVZomidjUjHxkB9jbE8nqN15U/Ui4WuZKM+LPbiknaC+h2Y8v6p3u5XQSR0l1cWwdo7BZtdUkcuqSwpL0mnwnmLc6ZQrr13GXnk3qm1ymXST3MFWCWjyRJ8= +Exponent1: 02q1b8XrT6qpd2a8kxvJc85RZWTqwxPviDzdZaeHuygRYy6apHgu24toE/umWj3CqIag9+fAoSP+P+cvy9tmzfbILnD5puSoj7kE88RmnePuIhBnTAIDxFgl/Cc2vNkk/iPLb3SX5YW9AJK6Ytm75LlI5SZAhTCpAe9HhJpi3Bs= +Exponent2: deHfEY3nLCnMmegdK46Yw6QBxU0hvYgN2MVT3dIDghz4OzWi3Xjz8I+urHLTaIcz9kCoeQsL+QSk8fGOFlbtMLTGBUT6e/eidfU/jvXzDkaCxoiTDt2r05cevoezWN6SUuP3QEUgA4TBZjsXvSNCJwlmAeZbvd+ElRZLVKQp5nU= +Coefficient: mtSrbS9kgU1yoTaaY4C6jTnfa43wvHi9pGHW5TUSjRQ9YnCsxy6GiuhmCcKB4iDUzWvIHehfGF5A8UaIF4GvIWcSj1FYO1uBrre5mKMxk89Y7oGtwF2qVbpPHAL4GKHPOUzmfr0vR+nT1PFs1Gr1BF+hkYgluh05KEu0flOZoAk= +Created: 20130213194956 +Publish: 20130213194956 +Activate: 20130213194956 diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.key b/testing/hosts/winnetou/etc/bind/K.+008+43749.key new file mode 100644 index 000000000..de00dec2d --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 43749, for . +; Created: 20130213194939 (Wed Feb 13 20:49:39 2013) +; Publish: 20130213194939 (Wed Feb 13 20:49:39 2013) +; Activate: 20130213194939 (Wed Feb 13 20:49:39 2013) +. IN DNSKEY 256 3 8 AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz wHw3Arp5 diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.private b/testing/hosts/winnetou/etc/bind/K.+008+43749.private new file mode 100644 index 000000000..fb0f442f3 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 0xL4LJb2bzIHqvCuqx18xbjUBaKbVP96GDhSf/2oAMURk31Ps0r08j4MPcOvvZnZk7iGspcHZd7SeW+wJSNN8LB0aqDP1gu/ZZ9fOpGSzEWBBebMB0bskYf7tiZersAAXfbjpxpr7AxcAZF1RQKJB/zsKcBplcnWRTPAfDcCunk= +PublicExponent: AQAB +PrivateExponent: MWEqtiPLG1B1AsSz2ExZuFf5IihcdpIeGjRy+IZ7G1L/PaX/U06h51okuv5gytaHVEvDF1zF2ks6qjY62zVbMhr69/a6XjP6QWtiDmJgAnOjRqnKs8ZfEE3rsdauDtPPUIclNr9LnJtOz32oVlvxQXn/zVCE421eKlIKZIS0AEE= +Prime1: 8iaE9VEf9lmYEBM7m5Z/maTvP+RjYvmVx7gdnBDzHkw1ZZkc/27sSI1bvgPZ55ZSiH+324OHwQp3A5m2P9th1Q== +Prime2: 3yVw5TpfBOSteVUMtkvUqI7o0TnUoMeGuKZyXUo8GfQz8oGKoZgmdBJTETmmV4gXPtaEMFUxD4PhJw5ralrkFQ== +Exponent1: QPWeY2Tw6xhb16whKHr2HhSF7iDpnIqR6LL2loBhh/YvuOKbSdbK4iexvcawtRS5bU691tBxIZMaHEgnAPhsRQ== +Exponent2: iw5B9BcT73CxydJ+QXuv4fpsizWGk0rDYX4X9pq0KVhMpuqjAWBXVi21Jh7O0e00zyvO5G+ySwDb5gLOXVCWoQ== +Coefficient: b46+74v/ETHVVKxqdXZWf9r5RL/08AyxScYrT5qDXhJ+QeGZa1jRxrWp469FWltzliP68jLh2om6F4IjAK5o0g== +Created: 20130213194939 +Publish: 20130213194939 +Activate: 20130213194939 diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key new file mode 100644 index 000000000..44043b485 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 24285, for org. +; Created: 20130213191908 (Wed Feb 13 20:19:08 2013) +; Publish: 20130213191908 (Wed Feb 13 20:19:08 2013) +; Activate: 20130213191908 (Wed Feb 13 20:19:08 2013) +org. IN DNSKEY 256 3 8 AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn zoNbB0g9 diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private new file mode 100644 index 000000000..e707bb6bb --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: rog7fQwWWDKPSEkt7S+q8cuvX/iREI2X8GLPtVjCDNGSJjEfEslT6Lz+v2sRZTzlDpYS3vvFD4fLHPCahelJoy3KZiJ80Vme/CXfUJuTMgEVO0FRDcEIpmO/RaCksTEOoAqByUJYFnU+se8OfUdOXqYyAKmJai2HOSfOg1sHSD0= +PublicExponent: AQAB +PrivateExponent: Enac/HSL5Jasq7P6JM5XIi8vBVMRXZPtD+QUHxYdqSd+c4XcyKr9snBT7sIP3AreHHXp1ycBSMxPw2b8oc/1Fx5UcCdfL2Sygw2l9oDG2nVWX5taLZgNe1t+Bbsf7fqUxBu0fYHx42xvRHPNwV+8VsDa2TDGRImH8MlPuVbHt2E= +Prime1: 375Bu+m6egBN6k2P82oE8mUuLVYnJDOQ90ipG6Vcfxy7HTzObX+Ismw171oMASLrwMV8UWohp8cbFiira/4ruQ== +Prime2: x7G7d58Pycz+Wox3ez8/livTQ4wXYb/ykUzgycOVJaPPRX9siz10rVfl5Y3sXQlsR4xFSl6GKFAc11MbmS7qpQ== +Exponent1: aPk+pgd28h6Kb8+MJkwrnf5St/qfyqBW924jyVDAIPM95u3MfBtF61BRzcaVs0LLEVqWhSwiNjF4R+E07CoIIQ== +Exponent2: T3kaZJb3D5b3u02f13rqcXdrkrxUKeDcRptT8rhVyS8SNFRr/FYu8zXCFsOOx9ASOb9HbDuGJNENSVyX5TTYyQ== +Coefficient: GsFR4s38eNTqazXvDLcSG+166dSIRRWUrIMR85veIchQY7lsFTRFEmwKX43OsXvSZUMIE2svwIgclhP/FefcUw== +Created: 20130213191908 +Publish: 20130213191908 +Activate: 20130213191908 diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key new file mode 100644 index 000000000..7a617ecbe --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 51859, for org. +; Created: 20130213191920 (Wed Feb 13 20:19:20 2013) +; Publish: 20130213191920 (Wed Feb 13 20:19:20 2013) +; Activate: 20130213191920 (Wed Feb 13 20:19:20 2013) +org. IN DNSKEY 257 3 8 AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8 lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+ v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL DtYdKb9mGnk= diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private new file mode 100644 index 000000000..698cb4f80 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 8DKIg0XX98jJ5uIBmEbeQXG/X6PcPdPE0E9xxuJVSBhKex73mZuafjQqCC4KWOiLqQO7XRCj5dTClHvx0YmKq8p96PtzPrBsivmq70q/t/yUk9FDaKDFn/RkItcZujNG5AbLf2SVB4b3x/DE2TMepdHGSHICCljwTYG6ZGyLYJxr+8oX7o6k3H1vxFcgFxRN2HHRWOD7eBiFJFHWs8HXrSxtov6/cXG/1nM4hj16R+is3G6pX39TQMKI6GClkLsf7lKE9vRU3Ni+/QjAgAZU9UQl2HlI09DQtyU9dxHdq/4OmO91jmgA6f+Ys8IePEGfM6XtDc/jd0sO1h0pv2YaeQ== +PublicExponent: AQAB +PrivateExponent: pJ69mNqhbZ0bYzW6Shcn9Ep1EqNHKsictvf7zocIU+TyBvfuUkSm2Z/+vqRvSwf1z9xS6TGiYr4yrXlU/nr5o0ugh7DuByT6/zSlxmLAiuR9H+HoBSlKyJnCl248n7TM/TL6/VB+Iy6JW2rUPtgeRR9EehpI87aI21Xx3SnXTFoUTP7Z9HwoWEPOaU1SfYvBDLjZ0GTtMJ4i/LRB/rC6sbetqru4MTCAhsr8VrcH6YsFu5JrlmG+/dTEi005DrZPUOnKaDf4w3TbgSeTfbFJmvpfOoJObGm+Pc1PtxgfVUVdDWGK/LSNbTdqPQkPGlOI1sUETFNMKOY0S66H5q44QQ== +Prime1: /y8kGw8mAtAuvISUtlUao7srcSphvvMLpxvgOB22u2wgzD51VdPRr2Inv1SJN7SGoJ9ERNLnfBnc1KFBOqtvf5uOwHD4++U80H+qWS+1aNgmMEa+IQ5WamQSPvUWFkhF6TjJnwY4rATfK2FGh00n6O3IOMjDxYyDs/M/j62/VQ0= +Prime2: 8PcgSGgYGveDwkocfVkF0uuWRMVtfY3O/tiYSuCfkFP/++7eKMXQekmBay+5a5YUSZ6UwDFqduC/tYIuvGBi0rv+lzZJ8ydz/sdmQ+aqS3/g6oerGaTUjRV560OKWCwiMIfwQqaN+ivXdBFgGCJnaah65wiQ9W0xeTJqORQxWB0= +Exponent1: dL3+SJrPiu3u07PbzOZ2P317TFRVT2QlapfoJgQB+xBmmMniKBe1kATZpkBoXiGqjYUPWGUcHbw/OM9k5hBT/A8QaZ3FaoffIIunRRH8bjCkl+VlSf4jLp0Fc+Pv7NW3lhCyvJu+BYRdDJ1+BJwZrAhMVx4R4ih8gDDCXVrhc2k= +Exponent2: QQvEuCb5UtY7yAevdxq/2rbjon7U1o6gMOUQ/y1xhUlXkY9igwkbBNewytlgKS2jHlhjeRodzidPONUCfrFaG97Jk9IA1lVxF3aGIZAzqhvEACtNQafgBJGmjp51yuVm+UjIz4UcUErjZx6FnR40Yi4rtw/16XpnX3r/d5b+1vU= +Coefficient: hAE0/Fdc6enFMymrfGW8o4lDauKQj7yQ16hw3IoOlrRLUpXqLiEnk+J6kzkSqgiW+ZC2v5Qq8mTC/3Q//ddWgaLX/LlbItitTlhQCS7hlV33ZkyvLBBjonYztnI+LHnIkj/omjumEzeQGR40TAh4FAgByRNXG2IOrLavfR/iPC8= +Created: 20130213191920 +Publish: 20130213191920 +Activate: 20130213191920 diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key new file mode 100644 index 000000000..a2d755ff4 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 481, for strongswan.org. +; Created: 20130213175556 (Wed Feb 13 18:55:56 2013) +; Publish: 20130213175556 (Wed Feb 13 18:55:56 2013) +; Activate: 20130213175556 (Wed Feb 13 18:55:56 2013) +strongswan.org. IN DNSKEY 257 3 8 AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM ooWxy1674/U= diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private new file mode 100644 index 000000000..cfa7e83c4 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: xd9xa8IbNCrzSr0lfVa/PSXAD9+LVdmZ6BrfnTAZHxZ0UKSW+Yp8DM1p/UKu83dsf0aXZUQSGRgwXqHqRUVNTu1qymrm3RsvCAIr+dLxDMpMta/NZ3JVrKId+KPU8/CdBXkUAMFMTmYwSSafzb48qDqNoqzcA2xzQE9sZKwYjGFQqWIvEkR37opKX/6i5AP1F8IPmzP00gX4he/VkanZGN/7q8ps87x/SGa23AT87MrIGDKwsFt3p/Dako4GG6dUWZRg9ocz3MtPJ3O5IgBf2JJ4zoe0C+UqArQkaA8QWtf6M8brAO8l/PNqTHzmsyREZzfU0WIUuoyihbHLXrvj9Q== +PublicExponent: AQAB +PrivateExponent: SIEdgEy5xx3N1B8Gs6yrmm5QuABDgAuh94iRU3miWt/RcxM8NuflmJNUOPbMQG4MFX76TqLotsVERAi0XPmN4FPig5U0TuR9EUQqdPo0VWlzPkfSzgr5Fa65qLfvegs6nhzFlZk+qqOLIeLDP5Jri4EZEPiiDacZfAEeSK0+uYDxxNCSShcYFqd9kIcqFS9pk0tcqVOZY55xjEHlk35+N08TvC+H6OnFyppz24TAuU9vqxtdGYEt6+BXnwG8MI6hCv16PkHJKeJVeC3tIl+cO+TYMMaWeI+8MXX+GIfyAOaAGj0pi3BnpUOiiLtwO0P3mi7mxB2/0Jzx2c8lLvLqaQ== +Prime1: 8UFH1F2bt+1B2ssTHiPq+nqw/VYMTVUw+Hju79hVg2TugP0OEat00BqmZU4+bI1YscpwmWHZAU8wHvhMyjomol4+KplqxALXes3WMTijs9qXZIAX48yuakWyOrPLgUdNYwnvtcrC0vxJXk9G1lhOXDzHxmLD+HVd37SlUGvFvy8= +Prime2: 0fdlpeBJzmDDLYz7GP2oCLhuxvUXl4xFKDDJMAikdjgpZI8wTHAyNOY9BQMZGDUkrozrxWzYpcDLyEuhVfQFl7fvlOy6c8cnHPar6JPLFhcV1g2tSiXGnUVfusVytwtDdApAPKVtFeaC3HX+jil0SmO4uqw6wXtkwwsH7aeMZhs= +Exponent1: Utd/usSJ/BZUTrT805Sx02Dd9Z/eiY9/SVL9eQ5oDr5Rx6kdc6PUcME18gN0HAJNOn+xOnoG8hQnCftpIufk7ExAPJCBwNzY8SpNKomwbMnawn/ZtDdMjOFx2gZzEulRAXkf/uSpEZnf96pxQJkCD1ovn0e600459d8qBPt847E= +Exponent2: Y+w99rwPw+Su3j2qvhDxZ/0F0y+O47OAsgjNpktmoVBG+rFeRfJbImuz/G+mAKxB4cP07IbJb9CZ6p97j2FLTBHgNdqXPUQ47ALEezHiw4eG/9CQeKoTpIMAdO1Ek7ILjuzV90au7G5ANtT8qQE3c7OTlVsjtzKXGG9mfYZwPaM= +Coefficient: zqyn6OSkR2j10qY+a+Yma8kiOnUdcqvk1TW8CpG9+ch9T0mlCSiB7wPkWiIqkK8fP0qVkuurIvsxEARa0FFDTZDM5g5nJ8G26LsoNj1LA8hp0xH/UB/2pSXzo1Coc3f2VAuZEunFoNxEq0XBaZm4XLbPc3cOvVeL8WmSrf2K6lU= +Created: 20130213175556 +Publish: 20130213175556 +Activate: 20130213175556 diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key new file mode 100644 index 000000000..6f8eb8c70 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 9396, for strongswan.org. +; Created: 20130213175239 (Wed Feb 13 18:52:39 2013) +; Publish: 20130213175239 (Wed Feb 13 18:52:39 2013) +; Activate: 20130213175239 (Wed Feb 13 18:52:39 2013) +strongswan.org. IN DNSKEY 256 3 8 AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd bNvV9pvZ diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private new file mode 100644 index 000000000..2a91d9106 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: rktvqpPG7LhkkEOgNK2eay0hTmcCyWK7pQpnqKYsSDa58Bd/Pt9860iHb9AQKnzQaBQMFK0y9Ul9GNd4lSBq8zx3Q5v+sl+XW4f9u7I7tiMP7rif23b2kS4UpIBH61jJRiTmJOJ2oT8I2W02Smz3BzXAEDEryi5JVd1s29X2m9k= +PublicExponent: AQAB +PrivateExponent: rT8wnPZNGgnjc/60ZQha2p++ZodAHtt0N4XTKbEbfSBgzEUe52kQa3LppPvExebQ5VNf+sF6UJSesy2in2DczIqBOo2iftjKHXXWlnZN6ApN0v+oVmWxbvsEzODbeMOYklAzZd/QHvcNJCVHr+6WzxFlu5vnRwwF3vAEbFw+hIE= +Prime1: 59ugOWNLFlyOP/m7iYkr3vrei7vhT0c1IvIlBYiDSX6Ns98reI21KFXHjAl7jfx0DjJXZBK4VYCfFm7/nFS7KQ== +Prime2: wHFpgOLWd6AQfDscdkE7+rCHiaYKBADAUZ7smJni1rWFfQix+wm4qZRyrFjgT3mIZdWICJiFjh0qdrM9SvqhMQ== +Exponent1: ndmuiaOKGV1GE1QoU4ip75MINEXjLSAjkvkcL1ozV7PrMUx8wgRoE1/jDPnfvljjgk7PpHgCO2Pn61QCfiJJkQ== +Exponent2: vUKMdQIh1DIqJFNqEW7kkw5rrdcKwJcQjPUUUJv/OBP7fVVA3NfZsYVaJd+ecureVvBiwblml7ZdXbG3VPcZ8Q== +Coefficient: D6wuDQKGBlZjXQov//tXMrwhWMFhNzXfBbZCSz7td3RLspi7TJkDBFIXmJolXCLpB+Y5TNOa/3FDA8rWEIQm9w== +Created: 20130213175239 +Publish: 20130213175239 +Activate: 20130213175239 diff --git a/testing/hosts/winnetou/etc/bind/bind.keys b/testing/hosts/winnetou/etc/bind/bind.keys new file mode 100644 index 000000000..b991fa3c4 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/bind.keys @@ -0,0 +1,46 @@ +/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of January 2011. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + +managed-keys { + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # NOTE: This key is activated by setting "dnssec-lookaside auto;" + # in named.conf. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # NOTE: This key is activated by setting "dnssec-validation auto;" + # in named.conf. + . initial-key 257 3 8 "AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk="; +}; diff --git a/testing/hosts/winnetou/etc/bind/db.org b/testing/hosts/winnetou/etc/bind/db.org new file mode 100644 index 000000000..ecd2c23c1 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/db.org @@ -0,0 +1,40 @@ +; +; Zonefile for the org zone +; +$TTL 604800 +@ IN SOA ns1.org. root.org. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS ns1.org. +ns1 IN A 192.168.0.150 +ns1 IN AAAA fe80::fcfd:c0ff:fea8:96 +; +strongswan IN NS ns1.strongswan.org. +ns1.strongswan IN A 192.168.0.150 +ns1.strongswan IN AAAA fe80::fcfd:c0ff:fea8:96 +; +strongswan.org. IN DS 481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55 +strongswan.org. IN DS 481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE +; +; This is a zone-signing key, keyid 24285, for org. +org. IN DNSKEY 256 3 8 ( + AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ + U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB + FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn + zoNbB0g9 + ) +; +; This is a key-signing key, keyid 51859, for org. +org. IN DNSKEY 257 3 8 ( + AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb + mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8 + lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B + umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+ + v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG + VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL + DtYdKb9mGnk= + ) diff --git a/testing/hosts/winnetou/etc/bind/db.root b/testing/hosts/winnetou/etc/bind/db.root new file mode 100644 index 000000000..cfbbbc8bf --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/db.root @@ -0,0 +1,40 @@ +; +; Zonefile for the root zone +; +$TTL 604800 +@ IN SOA ns1. root. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS ns1. +ns1 IN A 192.168.0.150 +ns1 IN AAAA fe80::fcfd:c0ff:fea8:96 +; +org IN NS ns1.org. +ns1.org IN A 192.168.0.150 +ns1.org IN AAAA fe80::fcfd:c0ff:fea8:96 +; +org. IN DS 51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929 +org. IN DS 51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9 +; +; This is a zone-signing key, keyid 43749, for . +. IN DNSKEY 256 3 8 ( + AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK + 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF + gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz + wHw3Arp5 + ) +; +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/hosts/winnetou/etc/bind/db.strongswan.org b/testing/hosts/winnetou/etc/bind/db.strongswan.org new file mode 100644 index 000000000..dfd2705cb --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/db.strongswan.org @@ -0,0 +1,88 @@ +; +; Zonefile for the strongswan.org zone +; +$TTL 604800 +@ IN SOA ns1.strongswan.org. root.strongswan.org. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS ns1.strongswan.org. +ns1 IN A 192.168.0.150 +ns1 IN AAAA fe80::fcfd:c0ff:fea8:96 +; +moon IN A 192.168.0.1 +sun IN A 192.168.0.2 +mars IN A 192.168.0.5 +alice1 IN A 192.168.0.50 +carol IN A 192.168.0.100 +winnetou IN A 192.168.0.150 +dave IN A 192.168.0.200 +; +ip6-moon IN AAAA fe80::fcfd:c0ff:fea8:01 +ip6-sun IN AAAA fe80::fcfd:c0ff:fea8:02 +ip6-carol IN AAAA fe80::fcfd:c0ff:fea8:64 +ip6-winnetou IN AAAA fe80::fcfd:c0ff:fea8:96 +ip6-dave IN AAAA fe80::fcfd:c0ff:fea8:c8 +; +crl IN CNAME winnetou.strongswan.org. +ldap IN CNAME winnetou.strongswan.org. +ocsp IN CNAME winnetou.strongswan.org. +; +moon IN IPSECKEY ( 10 1 2 192.168.0.1 + AwEAAcovYz3Uu7oFhiFbFaAxL3P1MxJPCzObmuE7tkiwK0xGjg8B5jD7 + 75IZe3cI9dv/6n5JYoaWbXWs8TvV5Dd6GCHYLeEC6t+ZY7SJBBoLD592 + t54hUKo5Ag4/pSpnfbuHnJhikeTxVC/i8ElOnFyVTU+qdaF6p7VmUvGx + bvvctGaX99C39SC8mQIFNlk40s0x8r7tMOdhpWwC2dyC8M3vydQ0R7ap + j3YortKsEnpKlQSDj2bnUX5eCwZyyBZUdLzmifc6b8bjxyssRUmN27w + LF7BJFWBv6U8lbMd3xCxTRWD/u+WqzdlEzI200quviilK9VsDpqAaVNe + EMKt4OJdTwoc= + ) +sun IN IPSECKEY ( 10 1 2 192.168.0.2 + AwEAAd+VVIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqq + rQ3X917h7YNsSk68oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5 + mimv/prYj6o0yawxoPjoDs9Yh7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg + 1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/49YuxQ59DemY9IRbwsrKCHH0m + GrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4e0da1ntPCEQLeE83 + 3+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb8WNzRWB8 + Egh3BDK6FsE= + ) +carol IN IPSECKEY ( 10 1 2 192.168.0.100 + AwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuukt + gXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo + 5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6 + q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF + 5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5P + UdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3 + WEKTAmsZrVE= + ) +dave IN IPSECKEY ( 10 1 2 192.168.0.200 + AwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO0 + 4jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4b + V2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH + 10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GK + qmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3 + Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K + 0J4a81Paq3U= + ) +; +; This is a zone-signing key, keyid 9396, for strongswan.org. +strongswan.org. IN DNSKEY 256 3 8 ( + AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f + fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj + D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd + bNvV9pvZ + ) +; +; This is a key-signing key, keyid 481, for strongswan.org. +strongswan.org. IN DNSKEY 257 3 8 ( + AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK + fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK + TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP + bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK + bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA + X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM + ooWxy1674/U= + ) diff --git a/testing/hosts/winnetou/etc/bind/dsset-. b/testing/hosts/winnetou/etc/bind/dsset-. new file mode 100644 index 000000000..511b68ace --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/dsset-. @@ -0,0 +1,2 @@ +. IN DS 32329 8 1 39BE767A8E8BCD4D7AF698144FF41701FEDC3BA1 +. IN DS 32329 8 2 36B3DE82C971DF2A99AF3B00923A67A1DC956218E95A39335AF9768C 057FBBE0 diff --git a/testing/hosts/winnetou/etc/bind/dsset-org. b/testing/hosts/winnetou/etc/bind/dsset-org. new file mode 100644 index 000000000..c135c66ea --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/dsset-org. @@ -0,0 +1,2 @@ +org. IN DS 51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929 +org. IN DS 51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9 diff --git a/testing/hosts/winnetou/etc/bind/dsset-strongswan.org. b/testing/hosts/winnetou/etc/bind/dsset-strongswan.org. new file mode 100644 index 000000000..02ce8647c --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/dsset-strongswan.org. @@ -0,0 +1,2 @@ +strongswan.org. IN DS 481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55 +strongswan.org. IN DS 481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE diff --git a/testing/hosts/winnetou/etc/bind/named.conf.default-zones b/testing/hosts/winnetou/etc/bind/named.conf.default-zones new file mode 100644 index 000000000..52a1e4c7c --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/named.conf.default-zones @@ -0,0 +1,23 @@ +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + diff --git a/testing/hosts/winnetou/etc/bind/named.conf.local b/testing/hosts/winnetou/etc/bind/named.conf.local new file mode 100644 index 000000000..fa26fa9e5 --- /dev/null +++ b/testing/hosts/winnetou/etc/bind/named.conf.local @@ -0,0 +1,18 @@ +// +// Do any local configuration here +// + +zone "." { + type master; + file "/etc/bind/db.root.signed"; +}; + +zone "org" { + type master; + file "/etc/bind/db.org.signed"; +}; + +zone "strongswan.org" { + type master; + file "/etc/bind/db.strongswan.org.signed"; +}; diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 1355d7a05..5061f27bb 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -15,8 +15,8 @@ INC=build-essential,gperf,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core -INC=$INC,less,acpid,acpi-support-base -SERVICES="apache2 dbus isc-dhcp-server slapd" +INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils +SERVICES="apache2 dbus isc-dhcp-server slapd bind9" INC=$INC,${SERVICES// /,} EXC=iptables @@ -67,6 +67,9 @@ do_on_exit graceful_umount $APTCACHE log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)" execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR" +execute "mount -t proc none $LOOPDIR/proc" +do_on_exit graceful_umount $LOOPDIR/proc + for service in $SERVICES do log_action "Stopping service $service" diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages index f5669040e..3e0709db9 100755 --- a/testing/scripts/build-guestimages +++ b/testing/scripts/build-guestimages @@ -57,6 +57,10 @@ do execute_chroot "rm -rf /var/lib/ldap/*" 0 execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0 execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0 + execute_chroot "dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org" 0 + execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0 + execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0 + execute_chroot "update-rc.d bind9 defaults" 0 fi sync execute "umount $LOOPDIR" 0 diff --git a/testing/scripts/recipes/005_strongswan.mk b/testing/scripts/recipes/005_strongswan.mk index 76d2d0882..8bac5aa07 100644 --- a/testing/scripts/recipes/005_strongswan.mk +++ b/testing/scripts/recipes/005_strongswan.mk @@ -67,7 +67,9 @@ CONFIG_OPTS = \ --enable-xauth-generic \ --enable-xauth-eap \ --enable-pkcs8 \ - --enable-unity + --enable-unity \ + --enable-unbound \ + --enable-ipseckey all: install diff --git a/testing/ssh b/testing/ssh new file mode 100755 index 000000000..fc72c265e --- /dev/null +++ b/testing/ssh @@ -0,0 +1,20 @@ +#!/bin/bash + +DIR=$(dirname `readlink -f $0`) +. $DIR/testing.conf + +if [ $# == 0 ] +then + echo "$0 <host>" + exit 1 +fi + +host=$1 +ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" +if [ -z $ip ] +then + echo "Host '$host' unknown" + exit 1 +fi + +exec ssh $SSHCONF -q root@$ip diff --git a/testing/start-testing b/testing/start-testing index 183729423..db582cfd7 100755 --- a/testing/start-testing +++ b/testing/start-testing @@ -15,7 +15,7 @@ echo "Starting test environment" [ `id -u` -eq 0 ] || die "You must be root to run $0" -check_commands virsh +check_commands kvm virsh log_action "Deploying kernel $KERNEL" execute "ln -fs $KNLSRC $KNLTARGET" diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt new file mode 100644 index 000000000..6fe773299 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation +protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509 +certificates. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat new file mode 100644 index 000000000..876787495 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat @@ -0,0 +1,15 @@ +moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES +sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES +moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..cdd430408 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..448525bf7 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat new file mode 100644 index 000000000..c724e5df8 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt new file mode 100644 index 000000000..9893359c0 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat new file mode 100644 index 000000000..389cac7f3 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..6c11645f9 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftid=moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftrsasigkey=moonPub.der + leftauth=pubkey + leftfirewall=yes + right=sun.strongswan.org + rightid=sun.strongswan.org + rightsubnet=10.2.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..76e41cd47 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftrsasigkey=sunPub.der + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der Binary files differnew file mode 100644 index 000000000..cc99934db --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat new file mode 100644 index 000000000..c594c4dc8 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/resolv.conf +sun::rm /etc/resolv.conf +moon::rm /etc/ipsec.d/dnssec.keys +sun::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt new file mode 100644 index 000000000..0135f078c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +</p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway +<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> +and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat new file mode 100644 index 000000000..49183fb42 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat @@ -0,0 +1,24 @@ +carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..70deaa036 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=carol.strongswan.org + leftrsasigkey="0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..24ffdd3b1 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=dave.strongswan.org + leftrsasigkey="0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a199a4824 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=moon.strongswan.org + leftauth=pubkey + leftrsasigkey=moonPub.der + leftfirewall=yes + right=%any + rightauth=pubkey + rightsourceip=10.3.0.0/24 + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..644ac3d6a --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat new file mode 100644 index 000000000..3d55e09f9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon:rm /etc/resolv.conf +carol:rm /etc/resolv.conf +dave:rm /etc/resolv.conf +moon:rm /etc/ipsec.d/dnssec.key +carol:rm /etc/ipsec.d/dnssec.key +dave:rm /etc/ipse.cd/dnssec.key diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat new file mode 100644 index 000000000..40eaede87 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat index e969774c5..f028ec609 100644 --- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat @@ -7,9 +7,11 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets index 96b9a8dd5..11d45cd14 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets @@ -2,5 +2,5 @@ : RSA aaaKey.pem -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf index e9152e0d8..59563730b 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf @@ -12,12 +12,12 @@ conn %default conn home left=PH_IP_CAROL - leftid=carol@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey + eap_identity=carol aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets index 74942afda..23d79cf2e 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -carol@strongswan.org : EAP "Ar3etTnp" +carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf index 25589bcf1..8c27c78d2 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf @@ -12,12 +12,12 @@ conn %default conn home left=PH_IP_DAVE - leftid=dave@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey + eap_identity=dave aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets index 5496df7ad..02e0c9963 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -dave@strongswan.org : EAP "W7R0g3do" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf index 294964fe7..02ada5665 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf @@ -28,6 +28,6 @@ conn rw-eap leftauth=pubkey leftfirewall=yes rightauth=eap-radius - rightid=*@strongswan.org rightsendcert=never right=%any + eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf index 15655daf2..d32951866 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no plugins { eap-radius { |