diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 182feab7d..03ef748fc 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -217,6 +217,16 @@ then echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL fi +if [ "$USE_IMC_TEST" = "yes" ] +then + echo -n " --enable-imc-test" >> $INSTALLSHELL +fi + +if [ "$USE_IMV_TEST" = "yes" ] +then + echo -n " --enable-imv-test" >> $INSTALLSHELL +fi + if [ "$USE_SQL" = "yes" ] then echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL diff --git a/testing/testing.conf b/testing/testing.conf index 9b5609424..075f43cf1 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.38.5.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` @@ -51,6 +51,8 @@ USE_TNC_IMV="yes" USE_TNCCS_11="yes" USE_TNCCS_20="yes" USE_TNCCS_DYNAMIC="yes" +USE_IMC_TEST="yes" +USE_IMV_TEST="yes" USE_SQL="yes" USE_MEDIATION="yes" USE_OPENSSL="yes" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt index 6a9c5dde8..410ccca84 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/description.txt +++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt @@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific the clients doing EAP-MD5 password-based authentication. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. +compliant with RFC 5793 PB-TNC. The IMC and IMV communicate using the RFC 5792 PA-TNC +protocol.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat index d334a9b97..737c9b9ef 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES -moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES -moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf index c19192dae..847ca2e7f 100755 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup plutostart=no - charondebug="tls 2, tnc 3" + charondebug="tnc 3, imc 2" conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf index b2aa2806a..7ee4cbc05 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf @@ -9,3 +9,7 @@ charon { } } } + +imc-test { + command = allow +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config index d2fabe109..d3d574c17 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -1,4 +1,3 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf index 7d5ea8b83..f0ad4721f 100755 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup plutostart=no - charondebug="tls 2, tnc 3" + charondebug="tnc 3, imc 2" conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf index b2aa2806a..79f166da8 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf @@ -9,3 +9,7 @@ charon { } } } + +imc-test { + command = isolate +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config index d2fabe109..d3d574c17 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -1,4 +1,3 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf index 50514c99f..9eec48402 100755 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf @@ -3,7 +3,7 @@ config setup strictcrlpolicy=no plutostart=no - charondebug="tls 2, tnc 3" + charondebug="tnc 3, imv 2" conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf index b76c1cd55..2bc6bec54 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf @@ -14,3 +14,7 @@ charon { } } } + +imv-test { + rounds = 1 +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config index 140caa98f..0b5ff5740 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -1,4 +1,3 @@ #IMV configuration file for strongSwan server -IMV "Dummy" /usr/local/lib/libdummyimv.so -#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so +IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so