Add initial TKM integration test

A connection between the hosts moon and sun is set up. The host moon uses the Trusted Key Manager (TKM) and is the initiator of the transport connection. The authentication is based on X.509 certificates.
2013-01-22 20:52:55 +01:00 · 2013-01-22 20:52:55 +01:00 · 117375ed00
parent 7b702150a0
commit 117375ed00
10 changed files with 96 additions and 0 deletions
--- a/testing/tests/tkm/host2host-initiator/description.txt
+++ b/testing/tests/tkm/host2host-initiator/description.txt
@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the
+transport connection. The authentication is based on X.509 certificates.
--- a/testing/tests/tkm/host2host-initiator/evaltest.dat
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
--- a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
--- a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
--- a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
--- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
--- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- a/testing/tests/tkm/host2host-initiator/posttest.dat
+++ b/testing/tests/tkm/host2host-initiator/posttest.dat
@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
--- a/testing/tests/tkm/host2host-initiator/pretest.dat
+++ b/testing/tests/tkm/host2host-initiator/pretest.dat
@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
--- a/testing/tests/tkm/host2host-initiator/test.conf
+++ b/testing/tests/tkm/host2host-initiator/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"