added ikev2/ip-pool-db scenario

testing/tests/ikev2/ip-pool-db/description.txt

@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
+<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
+virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.

testing/tests/ikev2/ip-pool-db/evaltest.dat

@@ -0,0 +1,24 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon::cat /var/log/daemon.log::assigning lease with new address from pool bigpool::YES
+moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES

testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add

testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf

@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add

testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=%bigpool
+	auto=add

testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.d/ipsec.sql

@@ -0,0 +1,201 @@
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
+
+DROP TABLE IF EXISTS child_configs;
+CREATE TABLE child_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  lifetime INTEGER NOT NULL DEFAULT '1200',
+  rekeytime INTEGER NOT NULL DEFAULT '1020',
+  jitter INTEGER NOT NULL DEFAULT '180',
+  updown TEXT DEFAULT NULL,
+  hostaccess INTEGER NOT NULL DEFAULT '0',
+  mode INTEGER NOT NULL DEFAULT '1',
+  dpd_action INTEGER NOT NULL DEFAULT '0',
+  close_action INTEGER NOT NULL DEFAULT '0',
+  ipcomp INTEGER NOT NULL DEFAULT '0'
+);
+DROP INDEX IF EXISTS child_configs_name;
+CREATE INDEX child_configs_name ON child_configs (
+  name
+);
+
+DROP TABLE IF EXISTS child_config_traffic_selector;
+CREATE TABLE child_config_traffic_selector (
+  child_cfg INTEGER NOT NULL,
+  traffic_selector INTEGER NOT NULL,
+  kind INTEGER NOT NULL
+);
+DROP INDEX IF EXISTS child_config_traffic_selector;
+CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector (
+  child_cfg, traffic_selector
+);
+
+DROP TABLE IF EXISTS ike_configs;
+CREATE TABLE ike_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  certreq INTEGER NOT NULL DEFAULT '1',
+  force_encap INTEGER NOT NULL DEFAULT '0',
+  local TEXT NOT NULL,
+  remote TEXT NOT NULL
+);
+
+DROP TABLE IF EXISTS peer_configs;
+CREATE TABLE peer_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  ike_version INTEGER NOT NULL DEFAULT '2',
+  ike_cfg INTEGER NOT NULL,
+  local_id TEXT NOT NULL,
+  remote_id TEXT NOT NULL,
+  cert_policy INTEGER NOT NULL DEFAULT '1',
+  uniqueid INTEGER NOT NULL DEFAULT '0',
+  auth_method INTEGER NOT NULL DEFAULT '1',
+  eap_type INTEGER NOT NULL DEFAULT '0',
+  eap_vendor INTEGER NOT NULL DEFAULT '0',
+  keyingtries INTEGER NOT NULL DEFAULT '1',
+  rekeytime INTEGER NOT NULL DEFAULT '0',
+  reauthtime INTEGER NOT NULL DEFAULT '3600',
+  jitter INTEGER NOT NULL DEFAULT '180',
+  overtime INTEGER NOT NULL DEFAULT '300',
+  mobike INTEGER NOT NULL DEFAULT '1',
+  dpd_delay INTEGER NOT NULL DEFAULT '120',
+  virtual TEXT DEFAULT NULL,
+  pool TEXT DEFAULT NULL,
+  mediation INTEGER NOT NULL DEFAULT '0',
+  mediated_by INTEGER NOT NULL DEFAULT '0',
+  peer_id INTEGER NOT NULL DEFAULT '0'
+);
+DROP INDEX IF EXISTS peer_configs_name;
+CREATE INDEX peer_configs_name ON peer_configs (
+  name
+);
+
+DROP TABLE IF EXISTS peer_config_child_config;
+CREATE TABLE peer_config_child_config (
+  peer_cfg INTEGER NOT NULL,
+  child_cfg INTEGER NOT NULL,
+  PRIMARY KEY (peer_cfg, child_cfg)
+);
+
+DROP TABLE IF EXISTS traffic_selectors;
+CREATE TABLE traffic_selectors (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL DEFAULT '7',
+  protocol INTEGER NOT NULL DEFAULT '0',
+  start_addr BLOB DEFAULT NULL,
+  end_addr BLOB DEFAULT NULL,
+  start_port INTEGER NOT NULL DEFAULT '0',
+  end_port INTEGER NOT NULL DEFAULT '65535'
+);
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  keytype INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS certificate_identity;
+CREATE TABLE certificate_identity (
+  certificate INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (certificate, identity)
+);
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+  id INTEGER NOT NULL  PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS private_key_identity;
+CREATE TABLE private_key_identity (
+  private_key INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (private_key, identity)
+);
+
+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS shared_secret_identity;
+CREATE TABLE shared_secret_identity (
+  shared_secret INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (shared_secret, identity)
+);
+
+DROP TABLE IF EXISTS pools;
+CREATE TABLE pools (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  start BLOB NOT NULL,
+  end BLOB NOT NULL,
+  next BLOB NOT NULL,
+  timeout INTEGER DEFAULT NULL,
+  UNIQUE (name)
+);
+DROP INDEX IF EXISTS pools_name;
+CREATE INDEX pools_name ON pools (
+  name
+);
+
+DROP TABLE IF EXISTS leases;
+CREATE TABLE leases (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  pool INTEGER NOT NULL,
+  address BLOB NOT NULL,
+  identity INTEGER NOT NULL,
+  acquired INTEGER NOT NULL,
+  released INTEGER DEFAULT NULL
+);
+DROP INDEX IF EXISTS leases_pool;
+CREATE INDEX leases_pool ON leases (
+  pool
+);
+DROP INDEX IF EXISTS leases_identity;
+CREATE INDEX leases_identity ON leases (
+  identity
+);
+DROP INDEX IF EXISTS leases_released;
+CREATE INDEX leases_released ON leases (
+  released
+);
+
+DROP TABLE IF EXISTS ike_sas;
+CREATE TABLE ike_sas (
+  local_spi BLOB NOT NULL PRIMARY KEY,
+  remote_spi BLOB NOT NULL,
+  id INTEGER NOT NULL,
+  initiator INTEGER NOT NULL,
+  local_id_type INTEGER NOT NULL,
+  local_id_data BLOB NOT NULL,
+  remote_id_type INTEGER NOT NULL,
+  remote_id_data BLOB NOT NULL,
+  host_family INTEGER NOT NULL,
+  local_host_data BLOB NOT NULL,
+  remote_host_data BLOB NOT NULL,
+  created INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+DROP TABLE IF EXISTS logs;
+CREATE TABLE logs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  local_spi BLOB NOT NULL,
+  signal INTEGER NOT NULL,
+  level INTEGER NOT NULL,
+  msg TEXT NOT NULL,
+  time INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+}

testing/tests/ikev2/ip-pool-db/posttest.dat

@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*

testing/tests/ikev2/ip-pool-db/pretest.dat

@@ -0,0 +1,12 @@
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0 2> /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1

testing/tests/ikev2/ip-pool-db/test.conf

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"