testing: Migrated ikev2 scenarios to swanctl

testing/tests/ikev2/host2host-cert/description.txt

@@ -1,4 +1,6 @@
 A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.

testing/tests/ikev2/nat-rw-psk/description.txt

@@ -1,6 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
 the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
 ping the client <b>bob</b> behind the gateway <b>sun</b>.

testing/tests/ikev2/nat-rw/description.txt

@@ -1,5 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
 the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
 ping the client <b>bob</b> behind the gateway <b>sun</b>.

testing/tests/ikev2/net2net-psk/description.txt

@@ -1,6 +1,7 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.

testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt

@@ -1,9 +1,11 @@
-at the outset the gateway authenticates itself to the client by sending an
-IKEv2 <b>RSA signature</b> accompanied by a certificate.
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
 In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
 uses the EAP identity <b>carol</b>.

testing/tests/ikev2/rw-eap-aka-rsa/description.txt

@@ -1,7 +1,8 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.

testing/tests/ikev2/rw-eap-md5-rsa/description.txt

@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with an  <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
-is kept in <b>ipsec.secrets</b> on both gateway and client 
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+

testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt

@@ -1,8 +1,10 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Microsoft CHAP version 2</i> protocol
-(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
-e.g. by the Windows 7 Agile VPN client.
-In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.

testing/tests/ikev2/rw-eap-sim-id-radius/description.txt

@@ -1,13 +1,13 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b> and
-the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
 which also uses static triplets. In addition to her IKEv2 identity
 <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
 identity <b>228060123456001</b>.
-

testing/tests/ikev2/rw-eap-sim-only-radius/description.txt

@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The gateway <b>moon</b> does not send an AUTH payload thus signalling
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
 a mutual <b>EAP-only</b> authentication.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
 The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
 The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.

testing/tests/ikev2/rw-eap-sim-radius/description.txt

@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
 The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
 The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.

testing/tests/ikev2/rw-eap-sim-rsa/description.txt

@@ -1,7 +1,8 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
-to authenticate against the gateway. In this scenario triplets from the file
-<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
-itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf

@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	rightauth=any
-	rightsubnet=10.1.0.0/16
-	rightsendcert=never
-	auto=add

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets

@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf

@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf

@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	rightauth=any
-	rightsubnet=10.1.0.0/16
-	rightsendcert=never
-	auto=add

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets

@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "UgaM65Va"

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf

@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf

@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightsendcert=never
-	right=%any
-	auto=add

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets

@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf

@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-   }
- }
-}

testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat

@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home

testing/tests/swanctl/config-payload/evaltest.dat

@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES

testing/tests/swanctl/host2host-cert/description.txt

@@ -0,0 +1,6 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.

testing/tests/swanctl/host2host-cert/evaltest.dat

@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/host2host-cert/posttest.dat

@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush

testing/tests/swanctl/host2host-cert/pretest.dat

@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null

testing/tests/swanctl/host2host-cert/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/host2host-transport/description.txt

@@ -0,0 +1,6 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.

testing/tests/swanctl/host2host-transport/evaltest.dat

@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/host2host-transport/posttest.dat

@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush

testing/tests/swanctl/host2host-transport/pretest.dat

@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null

testing/tests/swanctl/host2host-transport/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/ip-pool-db/evaltest.dat

@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
 moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES

testing/tests/swanctl/ip-pool/evaltest.dat

@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES

testing/tests/swanctl/ip-two-pools-db/description.txt

@@ -0,0 +1,14 @@
+The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
+from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
+[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
+IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
+the <b>eth1</b> (PH_IP_MOON1) interface.
+Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
+respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
+respectively.
+<p>
+By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
+spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
+demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
+of <b>carol</b> and <b>venus</b>.

testing/tests/swanctl/ip-two-pools-db/evaltest.dat

@@ -0,0 +1,35 @@
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+

testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}

testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}

testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}

testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules

@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT

testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/db.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+  database = sqlite:///etc/db.d/ipsec.db
+}

testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,48 @@
+connections {
+
+   ext {
+      local_addrs  = 192.168.0.1
+      pools = extpool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         ext {
+            local_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+
+   int {
+      local_addrs  = 10.1.0.1
+      pools = intpool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         int {
+            local_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}

testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools-db/posttest.dat

@@ -0,0 +1,18 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::ipsec pool --del extpool 2> /dev/null
+moon::ipsec pool --del intpool 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+

testing/tests/swanctl/ip-two-pools-db/pretest.dat

@@ -0,0 +1,30 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+moon::ipsec pool --statusattr 2> /dev/null
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+moon::expect-connection int
+moon::expect-connection ext
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
+venus::expect-connection home
+venus::swanctl --initiate --child home 2> /dev/null

testing/tests/swanctl/ip-two-pools-db/test.conf

@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice venus carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/ip-two-pools/description.txt

@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from  <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
+connecting to the <b>eth1</b> (10.1.0.1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
+both ping the gateway <b>moon</b>.

testing/tests/swanctl/ip-two-pools/evaltest.dat

@@ -0,0 +1,18 @@
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES

testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf

@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules

@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT

testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,55 @@
+connections {
+
+   rw1 {
+      local_addrs  = 192.168.0.1
+      pools = pool1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         rw1 {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+
+   rw2 {
+      local_addrs  = 10.1.0.1
+      pools = pool2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         rw2 {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   pool1 {
+      addrs = 10.3.0.0/28
+   }
+   pool2 {
+      addrs = 10.4.0.0/28
+   }
+}

testing/tests/swanctl/ip-two-pools/posttest.dat

@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush

testing/tests/swanctl/ip-two-pools/pretest.dat

@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null

testing/tests/swanctl/ip-two-pools/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/nat-rw-psk/description.txt

@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.

testing/tests/swanctl/nat-rw-psk/evaltest.dat

@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES

testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf

@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}

testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf

@@ -0,0 +1,33 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 10.1.0.10
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.2
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-sun {
+      id = 192.168.0.2
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}

testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules

@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT

testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}

testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,36 @@
+connections {
+
+   nat-t {
+      local_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 192.168.0.2
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         nat-t {
+            local_ts = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-alice {
+      id = 10.1.0.10
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   ike-venus {
+      id = 10.1.0.20
+      secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+   }
+}

testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf

@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}

testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf

@@ -0,0 +1,34 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 10.1.0.20
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.2
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-sun {
+      id = 192.168.0.2
+      secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+   }
+}
+

testing/tests/swanctl/nat-rw-psk/posttest.dat

@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F

testing/tests/swanctl/nat-rw-psk/pretest.dat

@@ -0,0 +1,16 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t

testing/tests/swanctl/nat-rw-psk/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/nat-rw/description.txt

@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.

testing/tests/swanctl/nat-rw/evaltest.dat

@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES

testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf

@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}

testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules

@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT

testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}

testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      local_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf

@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}

testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf

@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/swanctl/nat-rw/posttest.dat

@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F

testing/tests/swanctl/nat-rw/pretest.dat

@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t

testing/tests/swanctl/nat-rw/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/swanctl/net2net-psk/description.txt

@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.

testing/tests/swanctl/net2net-psk/evaltest.dat

@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}

testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,55 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-1 {
+      id-1 = moon.strongswan.org
+      secret = 0x45a30759df97dc26a15b88ff
+   }
+   ike-2 {
+      id-2 = sun.strongswan.org
+      secret = "This is a strong password"
+   }
+   ike-3 {
+      id-3a = moon.strongswan.org
+      id-3b =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   ike-4 {
+      secret = 'My "home" is my "castle"!'
+   }
+   ike-5 {
+     id-5 = 192.168.0.1
+     secret = "Andi's home"
+   }
+}

testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}