removed tests
This commit is contained in:
parent
d9a883c337
commit
92069df82f
|
@ -21,20 +21,20 @@ UMLTESTDIR=~/strongswan-testing
|
|||
|
||||
# Bzipped kernel sources
|
||||
# (file extension .tar.bz2 required)
|
||||
KERNEL=$UMLTESTDIR/linux-2.6.16.19.tar.bz2
|
||||
KERNEL=$UMLTESTDIR/linux-2.6.17.3.tar.bz2
|
||||
|
||||
# Extract kernel version
|
||||
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
|
||||
|
||||
# Kernel configuration file
|
||||
KERNELCONFIG=$UMLTESTDIR/.config-2.6.16
|
||||
KERNELCONFIG=$UMLTESTDIR/.config-2.6.17
|
||||
|
||||
# Bzipped uml patch for kernel
|
||||
# (not needed anymore for 2.6.9 kernel or higher)
|
||||
UMLPATCH=
|
||||
|
||||
# Bzipped source of strongSwan
|
||||
STRONGSWAN=$UMLTESTDIR/strongswan-4.0.1.tar.bz2
|
||||
STRONGSWAN=$UMLTESTDIR/strongswan-4.0.2.tar.bz2
|
||||
|
||||
# strongSwan compile options (use "yes" or "no")
|
||||
USE_LIBCURL="yes"
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
|
||||
<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
|
||||
<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
|
||||
<b>alice</b> successfully checks the established tunnel.
|
|
@ -1,9 +0,0 @@
|
|||
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
|
||||
carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
|
||||
moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
|
||||
carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
ike=blowfish256-sha2_512-modp4096!
|
||||
esp=blowfish256-sha2_256!
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,27 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
ike=blowfish256-sha2_512-modp4096!
|
||||
esp=blowfish256-sha2_256!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,5 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
|
||||
<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
|
||||
<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
|
||||
<b>alice</b> successfully checks the established tunnel.
|
|
@ -1,9 +0,0 @@
|
|||
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
|
||||
carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
|
||||
moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
|
||||
carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
ike=serpent256-sha2_512-modp4096!
|
||||
esp=serpent256-sha2_256!
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,27 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
ike=serpent256-sha2_512-modp4096!
|
||||
esp=serpent256-sha2_256!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,5 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite
|
||||
<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and
|
||||
<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
|
||||
<b>alice</b> successfully checks the established tunnel.
|
|
@ -1,9 +0,0 @@
|
|||
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
|
||||
carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
|
||||
moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
|
||||
carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
ike=aes128-sha2_256-modp1536!
|
||||
esp=aes128-sha2_256!
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,27 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
ike=aes128-sha2_256-modp1536!
|
||||
esp=aes128-sha2_256!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,5 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
|
||||
<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
|
||||
<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
|
||||
<b>alice</b> successfully checks the established tunnel.
|
|
@ -1,8 +0,0 @@
|
|||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
|
||||
carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
|
||||
moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
|
||||
carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
ike=twofish256-sha2_512-modp4096!
|
||||
esp=twofish256-sha2_256!
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,27 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
ike=twofish256-sha2_512-modp4096!
|
||||
esp=twofish256-sha2_256!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,5 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
|
||||
<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
|
||||
is granted to members of the group 'Research' whereas <b>venus</b> can only
|
||||
be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
|
||||
<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
|
||||
respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
|
||||
can reach <b>venus</b>.
|
|
@ -1,12 +0,0 @@
|
|||
carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES
|
||||
moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
|
||||
moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES
|
||||
moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
|
||||
dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES
|
||||
moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
|
||||
moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES
|
||||
moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
|
|
@ -1,34 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
|
||||
conn alice
|
||||
rightsubnet=PH_IP_ALICE/32
|
||||
auto=add
|
||||
|
||||
conn venus
|
||||
rightsubnet=PH_IP_VENUS/32
|
||||
auto=add
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_DAVE
|
||||
leftnexthop=%direct
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
|
||||
conn alice
|
||||
rightsubnet=PH_IP_ALICE/32
|
||||
auto=add
|
||||
|
||||
conn venus
|
||||
rightsubnet=PH_IP_VENUS/32
|
||||
auto=add
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn alice
|
||||
leftsubnet=PH_IP_ALICE/32
|
||||
right=%any
|
||||
rightgroups=Research
|
||||
auto=add
|
||||
|
||||
conn venus
|
||||
leftsubnet=PH_IP_VENUS/32
|
||||
right=%any
|
||||
rightgroups="Accounting, Sales"
|
||||
auto=add
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
|
||||
cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI
|
||||
wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6
|
||||
dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC
|
||||
fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB
|
||||
CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf
|
||||
NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC
|
||||
AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6
|
||||
5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
|
||||
Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
|
||||
bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
|
||||
QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
|
||||
b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg
|
||||
CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR
|
||||
aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY
|
||||
ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw
|
||||
YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v
|
||||
Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov
|
||||
wTLSA/z7c8nVCVoZI9Y=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj
|
||||
yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl
|
||||
BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf
|
||||
jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW
|
||||
C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi
|
||||
U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs
|
||||
cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K
|
||||
7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/
|
||||
zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2
|
||||
nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr
|
||||
zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n
|
||||
SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W
|
||||
G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq
|
||||
yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF
|
||||
IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO
|
||||
18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka
|
||||
wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf
|
||||
TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB
|
||||
mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7
|
||||
PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU
|
||||
+THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS
|
||||
4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9
|
||||
eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg
|
||||
lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro
|
||||
n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
|
||||
T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
|
||||
vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
|
||||
S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
|
||||
LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
|
||||
YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
|
||||
j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
|
||||
d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
|
||||
b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
|
||||
U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
|
||||
2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
|
||||
HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
|
||||
hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
|
||||
C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
|
||||
omBYfxqp
|
||||
-----END CERTIFICATE-----
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
|
||||
bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
|
||||
DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
|
||||
2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
|
||||
LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
|
||||
RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
|
||||
UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
|
||||
98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
|
||||
ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
|
||||
+Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
|
||||
CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
|
||||
ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
|
||||
d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
|
||||
b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
|
||||
8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
|
||||
Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
|
||||
P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
|
||||
UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
|
||||
0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
|
||||
5qILUTmI
|
||||
-----END CERTIFICATE-----
|
|
@ -1,4 +0,0 @@
|
|||
--cert /etc/ipsec.d/aacerts/aaCert.pem
|
||||
--key /etc/openac/aaKey.pem
|
||||
--quiet
|
||||
--hours 8
|
|
@ -1,6 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::rm /etc/openac/*
|
||||
moon::rm /etc/ipsec.d/aacerts/aaCert.pem
|
||||
moon::rm /etc/ipsec.d/acerts/*
|
|
@ -1,12 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::cat /etc/openac/default.conf
|
||||
moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem
|
||||
moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up alice
|
||||
carol::ipsec up venus
|
||||
dave::ipsec up venus
|
||||
dave::ipsec up alice
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
|
@ -1,3 +0,0 @@
|
|||
This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
|
||||
gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
|
||||
the established tunnel with compression.
|
|
@ -1,10 +0,0 @@
|
|||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec statusall::policy.*COMPRESS::YES
|
||||
carol::ipsec statusall::policy.*COMPRESS::YES
|
||||
moon::ipsec statusall::comp.::YES
|
||||
carol::ipsec statusall::comp.::YES
|
||||
carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
|
||||
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
compress=yes
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
compress=yes
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,5 +0,0 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
|
||||
an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
|
||||
their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
|
||||
the certificate received from their peer.
|
|
@ -1,10 +0,0 @@
|
|||
moon::cat /var/log/auth.log::loaded crl file::YES
|
||||
carol::cat /var/log/auth.log::loaded crl file::YES
|
||||
moon::cat /var/log/auth.log::X.509 certificate rejected::NO
|
||||
carol::cat /var/log/auth.log::X.509 certificate rejected::NO
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::cat /var/log/auth.log::written crl file::NO
|
||||
carol::cat /var/log/auth.log::written crl file::NO
|
||||
moon::ipsec listcrls:: ok::YES
|
||||
carol::ipsec listcrls:: ok::YES
|
|
@ -1,26 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
|
||||
conn home
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,37 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn net-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=PH_IP_SUN
|
||||
rightsubnet=10.2.0.0/16
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn rw
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::rm /etc/ipsec.d/crls/*
|
||||
carol::rm /etc/ipsec.d/crls/*
|
|
@ -1,8 +0,0 @@
|
|||
moon::wget -q http://crl.strongswan.org/strongswan.crl
|
||||
moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
|
||||
carol::wget -q http://crl.strongswan.org/strongswan.crl
|
||||
carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,9 +0,0 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
|
||||
the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
|
||||
available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
|
||||
because the web server is currently not reachable. Thus the second Main Mode negotiation
|
||||
fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
|
||||
is triggered. When the third Main Mode trial comes around, the fetched CRL has become
|
||||
available and the IKE negotiation completes. The new CRL is again cached locally as a
|
||||
file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
|
|
@ -1,16 +0,0 @@
|
|||
moon::cat /var/log/auth.log::loaded crl file::YES
|
||||
carol::cat /var/log/auth.log::loaded crl file::YES
|
||||
moon::cat /var/log/auth.log::crl update is overdue::YES
|
||||
carol::cat /var/log/auth.log::crl update is overdue::YES
|
||||
moon::cat /var/log/auth.log::X.509 certificate rejected::YES
|
||||
carol::cat /var/log/auth.log::X.509 certificate rejected::YES
|
||||
moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
|
||||
carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
|
||||
moon::cat /var/log/auth.log::Trying LDAP URL::YES
|
||||
carol::cat /var/log/auth.log::Trying LDAP URL::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::cat /var/log/auth.log::written crl file::YES
|
||||
carol::cat /var/log/auth.log::written crl file::YES
|
||||
moon::ipsec listcrls:: ok::YES
|
||||
carol::ipsec listcrls:: ok::YES
|
|
@ -1,73 +0,0 @@
|
|||
#!/sbin/runscript
|
||||
# Copyright 1999-2004 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
opts="start stop reload"
|
||||
|
||||
depend() {
|
||||
before net
|
||||
need logger
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting firewall"
|
||||
|
||||
# default policy is DROP
|
||||
/sbin/iptables -P INPUT DROP
|
||||
/sbin/iptables -P OUTPUT DROP
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow ldap crl fetch from winnetou
|
||||
iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
|
||||
if [ $a == nat ]; then
|
||||
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||
elif [ $a == mangle ]; then
|
||||
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||
elif [ $a == filter ]; then
|
||||
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||
fi
|
||||
done
|
||||
eend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Flushing firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
done;
|
||||
eend $?
|
||||
start
|
||||
}
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
Binary file not shown.
|
@ -1,76 +0,0 @@
|
|||
#!/sbin/runscript
|
||||
# Copyright 1999-2004 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
opts="start stop reload"
|
||||
|
||||
depend() {
|
||||
before net
|
||||
need logger
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting firewall"
|
||||
|
||||
# enable IP forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# default policy is DROP
|
||||
/sbin/iptables -P INPUT DROP
|
||||
/sbin/iptables -P OUTPUT DROP
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow ldap crl fetch from winnetou
|
||||
iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
|
||||
if [ $a == nat ]; then
|
||||
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||
elif [ $a == mangle ]; then
|
||||
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||
elif [ $a == filter ]; then
|
||||
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||
fi
|
||||
done
|
||||
eend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Flushing firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
done;
|
||||
eend $?
|
||||
start
|
||||
}
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=2
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
|
||||
conn net-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=PH_IP_SUN
|
||||
rightsubnet=10.2.0.0/16
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn rw
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
Binary file not shown.
|
@ -1,9 +0,0 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
winnetou::/etc/init.d/slapd stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/crls/*
|
||||
carol::rm /etc/ipsec.d/crls/*
|
|
@ -1,7 +0,0 @@
|
|||
winnetou::/etc/init.d/slapd start
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,7 +0,0 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
|
||||
the connection and no current CRL is available, the Main Mode negotiation fails
|
||||
and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
|
||||
When the second Main Mode trial comes around the fetched CRL will be available
|
||||
but because the certificate presented by carol has been revoked,
|
||||
the IKE negotatiation will fail.
|
|
@ -1,6 +0,0 @@
|
|||
moon::cat /var/log/auth.log::X.509 certificate rejected::YES
|
||||
moon::cat /var/log/auth.log::certificate was revoked::YES
|
||||
carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
|
||||
moon::ipsec listcrls:: ok::YES
|
||||
moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
|
||||
carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
|
|
@ -1,25 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolRevokedCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
|
||||
conn home
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
|
||||
mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
|
||||
5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
|
||||
VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
|
||||
IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
|
||||
K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
|
||||
OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
|
||||
d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
|
||||
b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
|
||||
56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
|
||||
2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
|
||||
O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
|
||||
LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
|
||||
wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
|
||||
9IcgYi5x
|
||||
-----END CERTIFICATE-----
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
|
||||
hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
|
||||
v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
|
||||
HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
|
||||
vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
|
||||
UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
|
||||
WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
|
||||
OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
|
||||
og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
|
||||
MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
|
||||
khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
|
||||
uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
|
||||
a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
|
||||
7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
|
||||
rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
|
||||
ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
|
||||
IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
|
||||
CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
|
||||
baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
|
||||
TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
|
||||
r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
|
||||
jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
|
||||
46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
|
||||
o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
|
||||
9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolRevokedKey.pem
|
|
@ -1,36 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn net-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=PH_IP_SUN
|
||||
rightsubnet=10.2.0.0/16
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn rw
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
carol::rm /etc/ipsec.d/private/*
|
||||
carol::rm /etc/ipsec.d/certs/*
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,6 +0,0 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
|
||||
the connection and no current CRL is available, the Main Mode negotiation fails
|
||||
but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
|
||||
When the second Main Mode trial comes around, the fetched CRL will be available
|
||||
and the IKE negotiation completes.
|
|
@ -1,8 +0,0 @@
|
|||
moon::cat /var/log/auth.log::X.509 certificate rejected::YES
|
||||
carol::cat /var/log/auth.log::X.509 certificate rejected::YES
|
||||
moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
|
||||
carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec listcrls:: ok::YES
|
||||
carol::ipsec listcrls:: ok::YES
|
|
@ -1,25 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
|
||||
conn home
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,36 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn net-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=PH_IP_SUN
|
||||
rightsubnet=10.2.0.0/16
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
||||
|
||||
conn rw
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,2 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,6 +0,0 @@
|
|||
By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
|
||||
via http from the web server <b>winnetou</b> is saved locally in the
|
||||
directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
|
||||
and the gateway <b>moon</b> when the IPsec connection is set up. The
|
||||
<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
|
||||
is used as a unique filename for the cached CRL.
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
|
||||
carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
|
|
@ -1,25 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
|
||||
conn home
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,24 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
cachecrls=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn rw
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::rm /etc/ipsec.d/crls/*
|
||||
carol::rm /etc/ipsec.d/crls/*
|
|
@ -1,4 +0,0 @@
|
|||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,8 +0,0 @@
|
|||
Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
|
||||
and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
|
||||
and a self-signed X.509 certificate. Because the UML testing environment does
|
||||
not offer enough entropy, the non-blocking /dev/urandom device is used in place
|
||||
of /dev/random for generating the random primes.
|
||||
<p>
|
||||
The self-signed certificates are then distributed to the peers via scp
|
||||
and are used to set up a road warrior connection initiated by <b>carol</b>
|
|
@ -1,7 +0,0 @@
|
|||
carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
|
||||
moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
|
@ -1,27 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=0
|
||||
strictcrlpolicy=no
|
||||
nocrsend=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=selfCert.der
|
||||
leftsendcert=never
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightcert=peerCert.der
|
||||
auto=add
|
|
@ -1,78 +0,0 @@
|
|||
#!/sbin/runscript
|
||||
# Copyright 1999-2004 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
opts="start stop reload"
|
||||
|
||||
depend() {
|
||||
before net
|
||||
need logger
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting firewall"
|
||||
|
||||
# enable IP forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# default policy is DROP
|
||||
/sbin/iptables -P INPUT DROP
|
||||
/sbin/iptables -P OUTPUT DROP
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
|
||||
if [ $a == nat ]; then
|
||||
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||
elif [ $a == mangle ]; then
|
||||
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||
elif [ $a == filter ]; then
|
||||
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||
fi
|
||||
done
|
||||
eend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Flushing firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
done;
|
||||
eend $?
|
||||
start
|
||||
}
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
version 2.0 # conforms to second version of ipsec.conf specification
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=0
|
||||
strictcrlpolicy=no
|
||||
nocrsend=yes
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn carol
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=selfCert.der
|
||||
leftsendcert=never
|
||||
leftfirewall=yes
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightcert=peerCert.der
|
||||
auto=add
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::rm /etc/ipsec.d/private/*
|
||||
carol::rm /etc/ipsec.d/certs/*
|
||||
moon::rm /etc/ipsec.d/private/*
|
||||
moon::rm /etc/ipsec.d/certs/*
|
|
@ -1,18 +0,0 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::rm /etc/ipsec.secrets
|
||||
carol::rm /etc/ipsec.d/private/*
|
||||
carol::rm /etc/ipsec.d/certs/*
|
||||
carol::rm /etc/ipsec.d/cacerts/*
|
||||
carol::ipsec start
|
||||
moon::rm /etc/ipsec.secrets
|
||||
moon::rm /etc/ipsec.d/private/*
|
||||
moon::rm /etc/ipsec.d/certs/*
|
||||
moon::rm /etc/ipsec.d/cacerts/*
|
||||
moon::ipsec start
|
||||
moon::sleep 4
|
||||
moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
|
||||
moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
|
||||
moon::ipsec reload
|
||||
carol::ipsec reload
|
||||
carol::ipsec up home
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -1,7 +0,0 @@
|
|||
The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
|
||||
tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
|
||||
directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
|
||||
using destination NAT. UDP encapsulation is used to traverse the NAT routers.
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
|
||||
let pass the tunneled traffic. In order to test the double NAT-ed IPsec
|
||||
tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue