added ikev1/net2net-fragmentation scenario

2013-02-12 23:01:48 +01:00 · 2013-02-12 23:01:48 +01:00 · 5374fe3a09
commit 5374fe3a09
parent bac1052dea
9 changed files with 122 additions and 0 deletions
--- a/testing/tests/ikev1/net2net-fragmentation/description.txt
+++ b/testing/tests/ikev1/net2net-fragmentation/description.txt
@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
+protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
+certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
--- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@ -0,0 +1,15 @@
+moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES
+sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES
+moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
--- a/testing/tests/ikev1/net2net-fragmentation/posttest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
--- a/testing/tests/ikev1/net2net-fragmentation/pretest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
--- a/testing/tests/ikev1/net2net-fragmentation/test.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"