diff options
Diffstat (limited to 'testing')
26 files changed, 43 insertions, 43 deletions
diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat index 448f283f1..9af5c4c02 100644 --- a/testing/tests/ha/active-passive/evaltest.dat +++ b/testing/tests/ha/active-passive/evaltest.dat @@ -16,7 +16,7 @@ dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES alice::ip xfrm policy flush::no output expected::NO alice::ip xfrm state flush::no output expected::NO alice::killall -9 starter charon::no output expected::NO -carol::sleep 3::no output expected::NO +carol::sleep 2::no output expected::NO moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev1/dpd-clear/description.txt +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b> which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s. When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted, -<b>moon</b> clears the connection after 4 unsuccessful retransmits. +<b>moon</b> clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat index f6f18212c..8d4fa03a8 100644 --- a/testing/tests/ikev1/dpd-clear/evaltest.dat +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 60::no output expected::NO +moon:: sleep 16::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES -moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES +moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf index 83f2849a4..9219e7028 100644 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=clear - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt index 410d3d636..6f4af9439 100644 --- a/testing/tests/ikev1/dpd-restart/description.txt +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -1,7 +1,7 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a -polling interval of 10 s. When the network connectivity between <b>carol</b> -and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b> -clears the connection after 4 unsuccessful retransmits whereas <b>carol</b> +polling interval of 10s. When the network connectivity between <b>carol</b> +and <b>moon</b> is forcefully disrupted for a duration of 100s, <b>moon</b> +clears the connection after a number of unsuccessful retransmits whereas <b>carol</b> also takes down the connection but immediately tries to reconnect which succeeds as soon as the connection becomes available again. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 6a749b826..91803a3f1 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 60::no output expected::NO +carol::sleep 16::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 1::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf index d3c105c31..4e142d699 100644 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=restart - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev2/dpd-clear/description.txt +++ b/testing/tests/ikev2/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b> which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s. When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted, -<b>moon</b> clears the connection after 4 unsuccessful retransmits. +<b>moon</b> clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat index c1a271903..2071e8fc8 100644 --- a/testing/tests/ikev2/dpd-clear/evaltest.dat +++ b/testing/tests/ikev2/dpd-clear/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 180::no output expected::NO +moon:: sleep 13::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES moon:: cat /var/log/daemon.log::retransmit.*of request::YES -moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES +moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat index 4c035a6e9..c7514fafe 100644 --- a/testing/tests/ikev2/dpd-hold/evaltest.dat +++ b/testing/tests/ikev2/dpd-hold/evaltest.dat @@ -2,13 +2,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::ping -c 1 PH_IP_ALICE::trigger route::NO -carol::sleep 2::no output expected::NO +carol::sleep 1::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat index 962bd0636..744307998 100644 --- a/testing/tests/ikev2/dpd-restart/evaltest.dat +++ b/testing/tests/ikev2/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 1::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt index e74ee1569..3e441b2fe 100644 --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end -is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the +is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary +<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin. <p> In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b> suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from -<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). +<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat index 221c59318..28c403b55 100644 --- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat +++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat @@ -1,7 +1,7 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::sleep 15::NO +carol::sleep 11::NO carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO carol::ipsec status 2> /dev/null::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt index 9ee5db95b..ad7de9ecc 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt +++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt @@ -6,5 +6,5 @@ OCSP server is listening. Thanks to timeouts the connection can nevertheless be established successfully by contacting a valid OCSP URI contained in <b>carol</b>'s certificate. <p> -As an additional test the OCSP response is delayed by 5 seconds in order to check +As an additional test the OCSP response is delayed by a few seconds in order to check the correct handling of retransmitted IKE_AUTH messages. diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index aa70321d5..46a716f83 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -6,7 +6,7 @@ echo "Content-type: application/ocsp-response" echo "" # simulate a delayed response -sleep 5 +sleep 2 cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ -rkey ocspKey.pem -rsigner ocspCert.pem \ diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index b8488fef8..e8706082e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication=no + retransmit_tries = 5 + plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 228441289..156a2e4c4 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication = no + retransmit_tries = 5 + plugins { tnc-imc { preferred_language = de diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index ee16a4cad..8aa2ab97e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + plugins { eap-ttls { max_message_count = 0 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index dd7d16076..aea7a71f9 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -3,7 +3,9 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { + retransmit_timeout = + + plugins { eap-ttls { max_message_count = 0 } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index e67223b45..c69f9454d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index 3c41f154a..b6c9ab661 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { tnc-imc { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index 88a4ad36e..68e4a4689 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + retransmit_timeout = + multiple_authentication = no plugins { |