testing: Add ipv6/rw-compress-ikev2 scenario
This commit is contained in:
parent
6055e347f8
commit
62e050e0ef
|
@ -0,0 +1,10 @@
|
|||
This scenario enables IPComp compression between roadwarrior <b>carol</b> and
|
||||
gateway <b>moon</b>. Two IPv6 ICMP requests from <b>carol</b> to <b>alice</b>
|
||||
check the established tunnel with compression. The packet sizes are different
|
||||
because the kernel does not compress small packets.<br/>
|
||||
<b>Note:</b> The kernel applies IPComp after fragmenting the original packet
|
||||
according to the MTU. Also, because <b>alice</b> does not know about the IPsec
|
||||
tunnel between <b>moon</b> and <b>carol</b> the response to the first ICMP
|
||||
request is fragmented in too large fragments and <b>moon</b> sends back ICMPs
|
||||
with type 2 to notify <b>alice</b> about this (Path MTU Discovery).
|
||||
The second ping is then answered successfully.
|
|
@ -0,0 +1,13 @@
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
|
||||
moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
|
||||
moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
|
||||
moon:: ip xfrm state::proto comp spi::YES
|
||||
carol::ip xfrm state::proto comp spi::YES
|
||||
# send two pings because the first is lost due to Path MTU Discovery between alice and moon
|
||||
carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
|
||||
carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES
|
||||
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
compress=yes
|
||||
leftfirewall=yes
|
||||
|
||||
conn home
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP6_MOON
|
||||
rightsubnet=fec1::/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
compress=yes
|
||||
leftfirewall=yes
|
||||
|
||||
conn rw
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=fec1::/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
moon::ip6tables-restore < /etc/ip6tables.flush
|
||||
carol::ip6tables-restore < /etc/ip6tables.flush
|
||||
alice::"ip route del fec0:\:/16 via fec1:\:1"
|
||||
carol::"ip route del fec1:\:/16 via fec0:\:1"
|
|
@ -0,0 +1,13 @@
|
|||
moon::iptables-restore < /etc/iptables.drop
|
||||
carol::iptables-restore < /etc/iptables.drop
|
||||
moon::ip6tables-restore < /etc/ip6tables.rules
|
||||
carol::ip6tables-restore < /etc/ip6tables.rules
|
||||
# enable Path MTU Discovery
|
||||
moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT
|
||||
alice::"ip route add fec0:\:/16 via fec1:\:1"
|
||||
carol::"ip route add fec1:\:/16 via fec0:\:1"
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-ip6.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
Loading…
Reference in New Issue