testing: Converted ipv6/net2net-rfc3779-ikev2 to swanctl

testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt

@@ -1,11 +1,14 @@
-An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
-It connects the two subnets hiding behind their respective gateways. The authentication is based on
-<b>X.509 certificates</b> containing <b>RFC 3779 IP address block constraints</b>.
-Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=::/0</b> thus allowing the peers to narrow down
-the address range to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively.
-These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints.
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is
+successfully set up. It connects the two subnets hiding behind their respective
+gateways. The authentication is based on <b>X.509 certificates</b> containing
+<b>RFC 3779 IP address block constraints</b>. Both <b>moon</b> and <b>sun</b> set
+<b>rightsubnet=::/0</b> thus allowing the peers to narrow down the address range
+to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively.
+These unilaterally proposed traffic selectors must be validated by corresponding
+IP address block constraints.
 <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
-sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
+Upon the successful establishment of the IPsec tunnel, automatically inserted
+ip6tables-based firewall rules let pass the tunneled traffic. In order to test
+both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind
+<b>moon</b> sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b>
+using the ping6 command.

testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat

@@ -1,9 +1,7 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
 sun::  cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
+sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf

@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-	cacert=strongswanCert.pem
-	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
-	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net
-	also=host-host
-	leftsubnet=fec1::0/16
-	rightsubnet=0::0/0
-
-conn host-host
-	left=PH_IP6_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=PH_IP6_SUN
-	rightid=@sun.strongswan.org
-	auto=add

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf

@@ -1,6 +1,18 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  hash_and_url = yes
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
+
+  syslog {
+    daemon {
+      default = 1
+    }
+    auth {
+      default = 0
+    }
+  }
 }

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,36 @@
+connections {
+
+   net-net {
+      local_addrs  = fec0::1
+      remote_addrs = fec0::2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = fec1::0/16
+            remote_ts = 0::0/0
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+   strongswan {
+      cacert = strongswanCert.pem
+      crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+   }
+}

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf

@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-	cacert=strongswanCert.pem
-	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
-	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net
-	also=host-host
-	leftsubnet=fec2::0/16
-	rightsubnet=0::0/0
-
-conn host-host
-	left=PH_IP6_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-	right=PH_IP6_MOON
-	rightid=@moon.strongswan.org
-	auto=add

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf

@@ -1,6 +1,19 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  hash_and_url = yes
-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
+
+  syslog {
+    daemon {
+      default = 1
+    }
+    auth {
+      default = 0
+    }
+  }
+
 }

testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,36 @@
+connections {
+
+   net-net {
+      local_addrs  = fec0::2
+      remote_addrs = fec0::1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = fec2::0/16
+            remote_ts = 0::0/0
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+   strongswan {
+      cacert = strongswanCert.pem
+      crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+   }
+}

testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat

@@ -1,5 +1,5 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
 alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"

testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat

@@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
-moon::ipsec start
-sun::ipsec start
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
 moon::expect-connection net-net
 sun::expect-connection net-net
-moon::ipsec up net-net
+moon::swanctl --initiate --child net-net

testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf

@@ -6,7 +6,7 @@
 # All guest instances that are required for this test
 #
 VIRTHOSTS="alice moon winnetou sun bob"
- 
+
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
@@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
 # IP protocol used by IPsec is IPv6
 #
 IPV6=1
+
+# charon controlled by swanctl
+#
+SWANCTL=1