added ikev2/rw-eap-md5-id-prompt scenario

2012-04-29 19:10:25 +02:00 · 2012-04-29 19:10:25 +02:00 · 2338b9f019
parent 23cb8ba72b
commit 2338b9f019
11 changed files with 117 additions and 0 deletions
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt
@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway. The EAP identity and password
+of the user is kept in <b>ipsec.secrets</b> on the gateway <b>moon</b> and 
+is entered interactively on the client <b>carol</b> using the command
+<b>ipsec stroke user-creds home carol "Ar3etTnp"</b>.
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
+against <b>carol</b>.
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
+carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets
@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-md5
+	rightsendcert=never
+	right=%any
+	eap_identity=%any
+	auto=add
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets
@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp"
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec stroke user-creds home carol "Ar3etTnp"
+carol::ipsec up home
+carol::sleep 1
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
				`@ -0,0 +1 @@`
				`# /etc/ipsec.secrets - strongSwan IPsec secrets file`