Cleaned configuration files in PT-TLS client scenario

2013-08-22 17:24:20 +02:00 · 2013-08-22 17:24:20 +02:00 · 03d673620d
parent d7ae0b254d
commit 03d673620d
11 changed files with 13 additions and 127 deletions
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
@ -1,23 +1,3 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file

-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	eap_identity=carol
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
+# the PT-TLS client reads its configuration via the command line
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file

-carol : EAP "Ar3etTnp"
+# the PT-TLS client loads its secrets via the command line
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
@ -1,23 +1,3 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file

-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	eap_identity=dave
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
+# the PT-TLS client reads its configuration via the command line
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file

-dave : EAP "W7R0g3do"
+# the PT-TLS client loads its secrets via the command line
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/ipsec.conf
@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightsendcert=never
-	right=%any
-	eap_identity=%any
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/ipsec.secrets
@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/iptables.rules
@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-
-# allow esp
-A INPUT  -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
-A INPUT  -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/moon/etc/strongswan.conf
@ -1,14 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      #server = PH_IP6_ALICE 
-      server = PH_IP_ALICE
-      filter_id = yes
-    }
-  }
-}
--- a/testing/tests/tnc/tnccs-20-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-pt-tls/test.conf
@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave alice"
+IPSECHOSTS="carol dave alice"

 # Guest instances on which FreeRadius is started
 #