ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

enabled firewall support

This commit is contained in:
Andreas Steffen 2006-09-18 07:41:54 +00:00
parent f9aa9e2977
commit 957115957a
36 changed files with 94 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
testing/tests/ikev2/crl-revoked/description.txt
View File

@ -1,4 +1,4 @@
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
both roadwarrior <b>carol</b> and gateway <b>moon</b>. <b>carol</b> initiates
the connection and presents a certificate that has been revoked by the
current CRL.Therefore the IKE negotiation fails
both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
initiates the connection and presents a certificate that has been revoked by the
current CRL causing the IKE negotiation to fail.

2
testing/tests/ikev2/crl-strict/description.txt
View File

@ -1,2 +1,2 @@
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
both roadwarrior <b>carol</b> and gateway <b>moon</b>.

3
testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
View File

@ -9,14 +9,15 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftcert=selfCert.der
leftsendcert=never
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightcert=peerCert.der
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
View File

@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn carol
left=PH_IP_MOON
@ -16,8 +17,7 @@ conn carol
leftcert=selfCert.der
leftsendcert=never
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
rightcert=peerCert.der
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/default-keys/posttest.dat
View File

@ -1,5 +1,9 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
carol::rm /etc/ipsec.d/private/*
carol::rm /etc/ipsec.d/certs/*
moon::rm /etc/ipsec.d/private/*

3
testing/tests/ikev2/default-keys/pretest.dat
View File

@ -1,4 +1,5 @@
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
carol::rm /etc/ipsec.secrets
carol::rm /etc/ipsec.d/private/*
carol::rm /etc/ipsec.d/certs/*

3
testing/tests/ikev2/host2host-cert/description.txt
View File

@ -1,3 +1,4 @@
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
The authentication is based on X.509 certificates.
The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.

3
testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
View File

@ -9,13 +9,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
left=PH_IP_MOON
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
keyexchange=ikev2
auto=add

3
testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
View File

@ -9,13 +9,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
left=PH_IP_SUN
leftnexthop=%direct
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/host2host-cert/posttest.dat
View File

@ -1,2 +1,6 @@
moon::iptables -v -n -L
sun::iptables -v -n -L
moon::ipsec stop
sun::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null

2
testing/tests/ikev2/host2host-cert/pretest.dat
View File

@ -1,3 +1,5 @@
moon::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
sun::ipsec start
moon::sleep 1

3
testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
View File

@ -9,13 +9,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
right=PH_IP_MOON
rightnexthop=%direct
rightcert=moonCert.pem
rightid=@moon.strongswan.org
rightfirewall=yes
left=PH_IP_SUN
leftid=@sun.strongswan.org
keyexchange=ikev2
auto=add

3
testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
View File

@ -9,13 +9,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
right=PH_IP_SUN
rightnexthop=%direct
rightcert=sunCert.pem
rightid=@sun.strongswan.org
rightfirewall=yes
left=PH_IP_MOON
leftid=@moon.strongswan.org
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/host2host-swapped/posttest.dat
View File

@ -1,2 +1,6 @@
moon::iptables -v -n -L
sun::iptables -v -n -L
moon::ipsec stop
sun::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null

2
testing/tests/ikev2/host2host-swapped/pretest.dat
View File

@ -1,3 +1,5 @@
moon::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
sun::ipsec start
moon::sleep 1

4
testing/tests/ikev2/net2net-cert/description.txt
View File

@ -1,4 +1,6 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b>.
The authentication is based on <b>X.509 certificates</b>. Upon the successful
establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.

5
testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
View File

@ -9,14 +9,15 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn net-net
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
keyexchange=ikev2
auto=add

3
testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
View File

@ -9,14 +9,15 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn net-net
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=10.2.0.0/16
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
keyexchange=ikev2
auto=add

6
testing/tests/ikev2/net2net-cert/posttest.dat
View File

@ -1,5 +1,9 @@
moon::iptables -v -n -L
sun::iptables -v -n -L
moon::ipsec stop
sun::ipsec stop
sun::rm /etc/ipsec.d/crls/*
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null
moon::rm /etc/ipsec.d/crls/*
sun::rm /etc/ipsec.d/crls/*

4
testing/tests/ikev2/net2net-cert/pretest.dat
View File

@ -1,5 +1,5 @@
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
sun::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
moon::ipsec start

3
testing/tests/ikev2/net2net-route/description.txt
View File

@ -4,3 +4,6 @@ on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
leads to the automatic establishment of the subnet-to-subnet tunnel.
<p>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
that let pass the tunneled traffic.

1
testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
View File

@ -17,6 +17,7 @@ conn net-net
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org

3
testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
View File

@ -9,14 +9,15 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn net-net
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=10.2.0.0/16
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/net2net-route/posttest.dat
View File

@ -1,2 +1,6 @@
moon::iptables -v -n -L
sun::iptables -v -n -L
moon::ipsec stop
sun::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null

4
testing/tests/ikev2/net2net-route/pretest.dat
View File

@ -1,5 +1,5 @@
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
sun::ipsec start
moon::sleep 2

3
testing/tests/ikev2/net2net-start/description.txt
View File

@ -3,3 +3,6 @@ respectively, is automatically established by means of the setting
<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
gateway <b>sun</b>.
<p>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
that let pass the tunneled traffic.

2
testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
View File

@ -9,12 +9,12 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
leftnexthop=%direct
keyexchange=ikev2
conn net-net
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes

4
testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
View File

@ -9,14 +9,16 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn net-net
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=10.2.0.0/16
leftnexthop=%direct
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
keyexchange=ikev2
auto=add

4
testing/tests/ikev2/net2net-start/posttest.dat
View File

@ -1,2 +1,6 @@
moon::iptables -v -n -L
sun::iptables -v -n -L
moon::ipsec stop
sun::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null

4
testing/tests/ikev2/net2net-start/pretest.dat
View File

@ -1,5 +1,5 @@
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
sun::ipsec start
sun::sleep 2
moon::ipsec start

10
testing/tests/ikev2/rw-cert/description.txt
View File

@ -1,4 +1,6 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
The authentication is based on <b>X.509 certificates</b>.
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
<b>alice</b> behind the gateway <b>moon</b>.
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.

1
testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
View File

@ -15,6 +15,7 @@ conn home
leftnexthop=%direct
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16

1
testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
View File

@ -15,6 +15,7 @@ conn home
leftnexthop=%direct
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16

1
testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
View File

@ -16,6 +16,7 @@ conn rw
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
keyexchange=ikev2
auto=add

6
testing/tests/ikev2/rw-cert/posttest.dat
View File

@ -1,6 +1,12 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
dave::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
moon::rm /etc/ipsec.d/crls/*
carol::rm /etc/ipsec.d/crls/*
dave::rm /etc/ipsec.d/crls/*

4
testing/tests/ikev2/rw-cert/pretest.dat
View File

@ -1,4 +1,6 @@
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl