ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

testing: Converted tnc scenarios to swanctl

This commit is contained in:
Andreas Steffen 2015-11-23 21:35:16 +01:00
parent 74270c8c86
commit 6aa7703122
386 changed files with 5091 additions and 2383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
testing/tests/tnc/tnccs-11-fhh/evaltest.dat
View File

@ -1,19 +1,18 @@
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

158
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon Executable file
View File

@ -0,0 +1,158 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: charon
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: strongSwan charon IKE daemon
# Description: with swanctl the strongSwan charon daemon must be
# running in the background
### END INIT INFO
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
#
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
DESC="strongSwan charon IKE daemon"
NAME=charon
DAEMON=/usr/local/libexec/ipsec/$NAME
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/charon
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

23
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

18
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
View File

@ -1,13 +1,29 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}

35
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = eap-ttls
id = carol@strongswan.org
}
remote {
auth = eap-ttls
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
}

158
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon Executable file
View File

@ -0,0 +1,158 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: charon
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: strongSwan charon IKE daemon
# Description: with swanctl the strongSwan charon daemon must be
# running in the background
### END INIT INFO
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
#
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
DESC="strongSwan charon IKE daemon"
NAME=charon
DAEMON=/usr/local/libexec/ipsec/$NAME
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/charon
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

23
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

18
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
View File

@ -1,13 +1,29 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}

35
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = eap-ttls
id = dave@strongswan.org
}
remote {
auth = eap-ttls
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

158
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon Executable file
View File

@ -0,0 +1,158 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: charon
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: strongSwan charon IKE daemon
# Description: with swanctl the strongSwan charon daemon must be
# running in the background
### END INIT INFO
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
#
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
DESC="strongSwan charon IKE daemon"
NAME=charon
DAEMON=/usr/local/libexec/ipsec/$NAME
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/charon
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

34
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
View File

@ -1,34 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
leftfirewall=yes
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any

6
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
View File

@ -1,6 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
dave@strongswan.org : EAP "W7R0g3do"

18
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
View File

@ -1,10 +1,22 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
}
}
plugins {
eap-ttls {
phase2_method = md5
@ -17,3 +29,7 @@ charon {
}
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}

64
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,64 @@
connections {
rw-allow {
local_addrs = 192.168.0.1
local {
auth = eap-ttls
id = moon.strongswan.org
}
remote {
auth = eap-ttls
id = *@strongswan.org
groups = allow
}
children {
rw-allow {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
rw-isolate {
local_addrs = 192.168.0.1
local {
auth = eap-ttls
id = moon.strongswan.org
}
remote {
auth = eap-ttls
id = *@strongswan.org
groups = isolate
}
children {
rw-isolate {
local_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap-carol {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
eap-dave {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

6
testing/tests/tnc/tnccs-11-fhh/posttest.dat
View File

@ -1,6 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
carol::service charon stop
dave::service charon stop
moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush

14
testing/tests/tnc/tnccs-11-fhh/pretest.dat
View File

@ -6,11 +6,15 @@ carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
carol::rm /etc/swanctl/rsa/*
dave::rm /etc/swanctl/rsa/*
carol::rm /etc/swanctl/x509/*
dave::rm /etc/swanctl/x509/*
moon::service charon start
carol::service charon start
dave::service charon start
moon::expect-connection rw-allow
carol::expect-connection home
carol::ipsec up home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::ipsec up home
dave::swanctl --initiate --child home 2> /dev/null

4
testing/tests/tnc/tnccs-11-fhh/test.conf
View File

@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS=
# charon controlled by swanctl
#
SWANCTL=1

9
testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
View File

@ -1,14 +1,15 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

13
testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
View File

@ -15,6 +15,19 @@ session {
}
post-auth {
if (control:TNC-Status == "Access") {
update reply {
Tunnel-Type := ESP
Filter-Id := "allow"
}
}
elsif (control:TNC-Status == "Isolate") {
update reply {
Tunnel-Type := ESP
Filter-Id := "isolate"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}

10
testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
View File

@ -1,12 +1,12 @@
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
debug_level = 3
load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {
imv-scanner {
closed_port_policy = no
tcp_ports = 80 443
}
imv-test {
rounds = 1
}
}
}

23
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

15
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1

35
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
}

23
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

18
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
@ -14,6 +27,9 @@ charon {
libimcv {
plugins {
imc-test {
command = none
}
imc-scanner {
push_info = no
}

35
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = dave@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

23
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
auto=add

3
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem

11
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
View File

@ -1,12 +1,19 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
plugins {
eap-radius {
secret = gv6URkSs
server = PH_IP_ALICE
server = 10.1.0.10
filter_id = yes
}
}
}

27
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,27 @@
connections {
rw {
local_addrs = 192.168.0.1
local {
auth = pubkey
id = moon.strongswan.org
certs = moonCert.pem
}
remote {
auth = eap-radius
id = *@strongswan.org
}
children {
rw {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}

7
testing/tests/tnc/tnccs-11-radius-block/posttest.dat
View File

@ -1,9 +1,8 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
carol::service charon stop
dave::service charon stop
moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
dave::/etc/init.d/apache2 stop 2> /dev/null

18
testing/tests/tnc/tnccs-11-radius-block/pretest.dat
View File

@ -1,14 +1,20 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
dave::/etc/init.d/apache2 start 2> /dev/null
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
carol::rm /etc/swanctl/rsa/*
dave::rm /etc/swanctl/rsa/*
carol::rm /etc/swanctl/x509/*
dave::rm /etc/swanctl/x509/*
moon::service charon start
carol::service charon start
dave::service charon start
carol::expect-connection home
carol::ipsec up home
carol::swanctl --initiate --child home
dave::expect-connection home
dave::ipsec up home
dave::swanctl --initiate --child home

7
testing/tests/tnc/tnccs-11-radius-block/test.conf
View File

@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
VIRTHOSTS="alice moon carol winnetou dave"
VIRTHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
#
RADIUSHOSTS="alice"
# charon controlled by swanctl
#
SWANCTL=1

13
testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
View File

@ -1,19 +1,18 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

23
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

23
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
View File

@ -1,21 +1,26 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}

35
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-ecp256
}
}
version = 2
proposals = aes128-sha256-ecp256
}
}
secrets {
eap {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
}

23
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

27
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
View File

@ -1,26 +1,27 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
retransmit_tries = 5
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
imc-scanner {
push_info = no
}
}
}

35
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = dave@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-ecp256
}
}
version = 2
proposals = aes128-sha256-ecp256
}
}
secrets {
eap {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

33
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
View File

@ -1,33 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any

3
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem

10
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
View File

@ -1,12 +1,18 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
plugins {
eap-radius {
secret = gv6URkSs
server = PH_IP_ALICE
server = 10.1.0.10
filter_id = yes
}
}

53
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,53 @@
connections {
rw-allow {
local_addrs = 192.168.0.1
local {
auth = pubkey
id = moon.strongswan.org
certs = moonCert.pem
}
remote {
auth = eap-radius
id = *@strongswan.org
groups = allow
}
children {
rw-allow {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-ecp256
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-ecp256
}
rw-isolate {
local_addrs = 192.168.0.1
local {
auth = pubkey
id = moon.strongswan.org
}
remote {
auth = eap-radius
id = *@strongswan.org
groups = isolate
}
children {
rw-isolate {
local_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-ecp256
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-ecp256
}
}

6
testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
View File

@ -1,6 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
carol::service charon stop
dave::service charon stop
moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
carol::echo 1 > /proc/sys/net/ipv4/ip_forward

16
testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
View File

@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
dave::expect-connection home
dave::ipsec up home
carol::rm /etc/swanctl/rsa/*
dave::rm /etc/swanctl/rsa/*
carol::rm /etc/swanctl/x509/*
dave::rm /etc/swanctl/x509/*
moon::service charon start
carol::service charon start
dave::service charon start
carol::expect-connection home
carol::ipsec up home
carol::swanctl --initiate --child home
dave::expect-connection home
dave::swanctl --initiate --child home
alice::ipsec attest --sessions
alice::ipsec attest --devices

4
testing/tests/tnc/tnccs-11-radius-pts/test.conf
View File

@ -27,3 +27,7 @@ RADIUSHOSTS="alice"
# Guest instances on which databases are used
#
DBHOSTS="alice"
# charon controlled by swanctl
#
SWANCTL=1

13
testing/tests/tnc/tnccs-11-radius/evaltest.dat
View File

@ -1,19 +1,18 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

1
testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
View File

@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {

23
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

15
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1

35
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
}

23
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add

3
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

15
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1

35
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = eap
aaa_id = aaa.strongswan.org
id = dave@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

33
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
View File

@ -1,33 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any

3
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem

10
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
View File

@ -1,12 +1,18 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
plugins {
eap-radius {
secret = gv6URkSs
server = PH_IP_ALICE
server = 10.1.0.10
filter_id = yes
}
}

53
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,53 @@
connections {
rw-allow {
local_addrs = 192.168.0.1
local {
auth = pubkey
id = moon.strongswan.org
certs = moonCert.pem
}
remote {
auth = eap-radius
id = *@strongswan.org
groups = allow
}
children {
rw-allow {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
rw-isolate {
local_addrs = 192.168.0.1
local {
auth = pubkey
id = moon.strongswan.org
}
remote {
auth = eap-radius
id = *@strongswan.org
groups = isolate
}
children {
rw-isolate {
local_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}

6
testing/tests/tnc/tnccs-11-radius/posttest.dat
View File

@ -1,6 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
carol::service charon stop
dave::service charon stop
moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush

14
testing/tests/tnc/tnccs-11-radius/pretest.dat
View File

@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::rm /etc/swanctl/rsa/*
dave::rm /etc/swanctl/rsa/*
carol::rm /etc/swanctl/x509/*
dave::rm /etc/swanctl/x509/*
moon::service charon start
carol::service charon start
dave::service charon start
carol::expect-connection home
carol::ipsec up home
carol::swanctl --initiate --child home
dave::expect-connection home
dave::ipsec up home
dave::swanctl --initiate --child home

3
testing/tests/tnc/tnccs-11-radius/test.conf
View File

@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
#
RADIUSHOSTS="alice"
# charon controlled by swanctl
#
SWANCTL=1

1
testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
View File

@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {

1
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
View File

@ -1 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file

1
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
View File

@ -1 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file

1
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
View File

@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {

1
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1 @@
# The strongSwan IMCs are loaded by the WPA supplicant

1
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
View File

@ -1 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file

1
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
View File

@ -1 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file

1
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
View File

@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {

1
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1 @@
# The strongSwan IMCs are loaded by the WPA supplicant

33
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
View File

@ -1,33 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any

3
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem

32
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules
View File

@ -1,32 +0,0 @@
*filter
# default policy is DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
# allow esp
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
# allow IKE
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
# allow MobIKE
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
# allow ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
# allow RADIUS protocol with alice
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT

13
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
View File

@ -1,13 +0,0 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
multiple_authentication=no
plugins {
eap-radius {
secret = gv6URkSs
server = PH_IP_ALICE
filter_id = yes
}
}
}

7
testing/tests/tnc/tnccs-11-supplicant/test.conf
View File

@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
TCPDUMPHOSTS=
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
IPSECHOSTS="carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS="alice"
# charon controlled by swanctl
#
SWANCTL=1

13
testing/tests/tnc/tnccs-11/evaltest.dat
View File

@ -1,19 +1,18 @@
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

23
testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

19
testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
@ -12,6 +25,10 @@ charon {
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
plugins {
imc-test {

35
testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = eap-ttls
id = carol@strongswan.org
}
remote {
auth = eap-ttls
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
}

23
testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
View File

@ -1,23 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
View File

@ -1,3 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

19
testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imc = 3
}
}
plugins {
eap-tnc {
protocol = tnccs-1.1
@ -12,6 +25,10 @@ charon {
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
plugins {
imc-test {

35
testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,35 @@
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = eap-ttls
id = dave@strongswan.org
}
remote {
auth = eap-ttls
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

34
testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
View File

@ -1,34 +0,0 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imv 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
leftfirewall=yes
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any

6
testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
View File

@ -1,6 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
dave@strongswan.org : EAP "W7R0g3do"

19
testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
View File

@ -1,10 +1,23 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
syslog {
auth {
default = 0
}
daemon {
tnc = 3
imv = 3
}
}
plugins {
eap-ttls {
phase2_method = md5
@ -18,6 +31,10 @@ charon {
}
}
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
plugins {
imv-test {

64
testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf Normal file
View File

@ -0,0 +1,64 @@
connections {
rw-allow {
local_addrs = 192.168.0.1
local {
auth = eap-ttls
id = moon.strongswan.org
}
remote {
auth = eap-ttls
id = *@strongswan.org
groups = allow
}
children {
rw-allow {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
rw-isolate {
local_addrs = 192.168.0.1
local {
auth = eap-ttls
id = moon.strongswan.org
}
remote {
auth = eap-ttls
id = *@strongswan.org
groups = isolate
}
children {
rw-isolate {
local_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm16-modp3072
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-modp3072
}
}
secrets {
eap-carol {
id = carol@strongswan.org
secret = "Ar3etTnp"
}
eap-dave {
id = dave@strongswan.org
secret = "W7R0g3do"
}
}

6
testing/tests/tnc/tnccs-11/posttest.dat
View File

@ -1,6 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
carol::service charon stop
dave::service charon stop
moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush

14
testing/tests/tnc/tnccs-11/pretest.dat
View File

@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::rm /etc/swanctl/rsa/*
dave::rm /etc/swanctl/rsa/*
carol::rm /etc/swanctl/x509/*
dave::rm /etc/swanctl/x509/*
moon::service charon start
carol::service charon start
dave::service charon start
carol::expect-connection home
carol::ipsec up home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::ipsec up home
dave::swanctl --initiate --child home 2> /dev/null

4
testing/tests/tnc/tnccs-11/test.conf
View File

@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave"
#
RADIUSHOSTS=
# charon controlled by swanctl
#
SWANCTL=1

Some files were not shown because too many files have changed in this diff Show More