From 9d75f04eee7fd4e0f9b14fac3f9a67993d8c2267 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 26 Jul 2013 13:06:17 +0200 Subject: testing: add a testcase for plain XAuth RADIUS authentication --- .../tests/ikev1/xauth-rsa-radius/description.txt | 7 ++++ testing/tests/ikev1/xauth-rsa-radius/evaltest.dat | 9 +++++ .../hosts/alice/etc/freeradius/eap.conf | 5 +++ .../hosts/alice/etc/freeradius/proxy.conf | 5 +++ .../alice/etc/freeradius/sites-available/default | 39 ++++++++++++++++++++++ .../hosts/alice/etc/freeradius/users | 1 + .../xauth-rsa-radius/hosts/carol/etc/ipsec.conf | 23 +++++++++++++ .../xauth-rsa-radius/hosts/carol/etc/ipsec.secrets | 5 +++ .../hosts/carol/etc/strongswan.conf | 9 +++++ .../xauth-rsa-radius/hosts/moon/etc/ipsec.conf | 22 ++++++++++++ .../xauth-rsa-radius/hosts/moon/etc/ipsec.secrets | 3 ++ .../xauth-rsa-radius/hosts/moon/etc/iptables.rules | 32 ++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 11 ++++++ testing/tests/ikev1/xauth-rsa-radius/posttest.dat | 5 +++ testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 8 +++++ testing/tests/ikev1/xauth-rsa-radius/test.conf | 25 ++++++++++++++ 16 files changed, 209 insertions(+) create mode 100644 testing/tests/ikev1/xauth-rsa-radius/description.txt create mode 100644 testing/tests/ikev1/xauth-rsa-radius/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/posttest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-radius/pretest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-radius/test.conf (limited to 'testing/tests') diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt new file mode 100644 index 000000000..fb30d163e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol based on a user name +equal to the IKEv1 identity (carol@strongswan.org) and a user password +defined and stored by carol in ipsec.secrets. Gateway moon verifies +carol's XAUTH user credentials using a RADIUS connection with AAA server +alice. diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat new file mode 100644 index 000000000..ee60292a3 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..929b6cd74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,39 @@ +authorize { + suffix + files +} + +authenticate { + pap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..2fdd60f00 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..d66f3fc24 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f4ee067d5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any + rightauth=pubkey + rightauth2=xauth-radius + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..77266cfa0 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat new file mode 100644 index 000000000..181949fb5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat new file mode 100644 index 000000000..9adc43d3e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf new file mode 100644 index 000000000..b4088e8b4 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" -- cgit v1.2.3