testing: Add pfkey/shunt-policies-nat-rw scenario

2014-06-26 15:46:39 +02:00 · 2014-06-26 15:46:39 +02:00 · 73211f9b74
parent f22add05f6
commit 73211f9b74
13 changed files with 175 additions and 0 deletions
--- a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
@ -1,3 +1,5 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
 venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
--- a/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway.  In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
--- a/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%any
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftsourceip=%config
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
+
+conn local-net
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
+	authby=never
+	type=pass
+	auto=route
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=0.0.0.0/0
+	right=%any
+	rightsourceip=10.3.0.0/28
+	auto=add
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+}
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%any
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftsourceip=%config
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
+
+conn local-net
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
+	authby=never
+	type=pass
+	auto=route
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
--- a/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
@ -0,0 +1,5 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
--- a/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
@ -0,0 +1,11 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
--- a/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"