Add initial TKM integration test
A connection between the hosts moon and sun is set up. The host moon uses the Trusted Key Manager (TKM) and is the initiator of the transport connection. The authentication is based on X.509 certificates.
This commit is contained in:
parent
7b702150a0
commit
117375ed00
|
@ -0,0 +1,3 @@
|
|||
A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
|
||||
<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the
|
||||
transport connection. The authentication is based on X.509 certificates.
|
|
@ -0,0 +1,12 @@
|
|||
moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
|
||||
sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
|
||||
moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
|
||||
sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
|
||||
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
|
||||
moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
|
||||
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
|
||||
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
|
||||
moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,21 @@
|
|||
<tkmconfig>
|
||||
<local_identity id="1">
|
||||
<identity>moon.strongswan.org</identity>
|
||||
<certificate>moonCert.pem</certificate>
|
||||
</local_identity>
|
||||
<policy id="1">
|
||||
<mode>transport</mode>
|
||||
<local>
|
||||
<identity_id>1</identity_id>
|
||||
<ip>192.168.0.1</ip>
|
||||
</local>
|
||||
<remote>
|
||||
<identity>sun.strongswan.org</identity>
|
||||
<ip>192.168.0.2</ip>
|
||||
</remote>
|
||||
<lifetime>
|
||||
<soft>30</soft>
|
||||
<hard>60</hard>
|
||||
</lifetime>
|
||||
</policy>
|
||||
</tkmconfig>
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn host-host
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=sun.strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightid=moon.strongswan.org
|
||||
ike=aes256-sha512-modp4096!
|
||||
esp=aes256-sha512-modp4096!
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
moon::DAEMON_NAME=charon-tkm ipsec stop
|
||||
moon::killall tkm_keymanager
|
||||
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
|
||||
sun::ipsec stop
|
|
@ -0,0 +1,10 @@
|
|||
moon::rm /etc/ipsec.secrets
|
||||
moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
|
||||
moon::cat /etc/ipsec.conf
|
||||
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
|
||||
moon::expect-file /tmp/tkm.rpc.ike
|
||||
moon::DAEMON_NAME=charon-tkm ipsec start
|
||||
sun::ipsec start
|
||||
sun::expect-connection host-host
|
||||
moon::DAEMON_NAME=charon-tkm expect-connection conn1
|
||||
moon::DAEMON_NAME=charon-tkm ipsec up conn1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="moon winnetou sun"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-w-s.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
Loading…
Reference in New Issue