added the ikev2/rw-eap-tnc-20 scenario based on the RFC 5792 PA-TNC protocol

2011-05-30 21:31:50 +02:00 · 2011-05-30 21:31:50 +02:00 · 83348c80e4
parent 510f37abd4
commit 83348c80e4
13 changed files with 35 additions and 15 deletions
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@ -217,6 +217,16 @@ then
    echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
 fi

+if [ "$USE_IMC_TEST" = "yes" ]
+then
+    echo -n " --enable-imc-test" >> $INSTALLSHELL
+fi
+
+if [ "$USE_IMV_TEST" = "yes" ]
+then
+    echo -n " --enable-imv-test" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
    echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
--- a/testing/testing.conf
+++ b/testing/testing.conf
@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing

 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.38.5.tar.bz2

 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@ -51,6 +51,8 @@ USE_TNC_IMV="yes"
 USE_TNCCS_11="yes"
 USE_TNCCS_20="yes"
 USE_TNCCS_DYNAMIC="yes"
+USE_IMC_TEST="yes"
+USE_IMV_TEST="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
--- a/testing/tests/ikev2/rw-eap-tnc-20/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt
@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>.
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate using the <b>RFC 5792 PA-TNC</b>
+protocol.
 <p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
 clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
--- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
 dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
@ -2,7 +2,7 @@

 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 2"

 conn %default
 	ikelifetime=60m
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
@ -9,3 +9,7 @@ charon {
    }
  }
 }
+
+imc-test {
+  command = allow
+}
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
@ -1,4 +1,3 @@
 #IMC configuration file for strongSwan client 

-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
+IMC "Test"	/usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
@ -2,7 +2,7 @@

 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 2"

 conn %default
 	ikelifetime=60m
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
@ -9,3 +9,7 @@ charon {
    }
  }
 }
+
+imc-test {
+  command = isolate
+}
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
@ -1,4 +1,3 @@
 #IMC configuration file for strongSwan client 

-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
+IMC "Test"	/usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imv 2"

 conn %default
 	ikelifetime=60m
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
@ -14,3 +14,7 @@ charon {
    }
  }
 }
+
+imv-test {
+  rounds = 1
+}
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
@ -1,4 +1,3 @@
 #IMV configuration file for strongSwan server 

-IMV "Dummy"		/usr/local/lib/libdummyimv.so
-#IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
+IMV "Test"	/usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so