testing: Add ikev2/trap-any scenario
This commit is contained in:
parent
301a0bad09
commit
bb1d9e454d
|
@ -0,0 +1,7 @@
|
|||
The hosts <b>moon</b>, <b>sun</b> and <b>dave</b> install <b>transport-mode</b> trap
|
||||
policies with <b>right=%any</b>. The remote host is dynamically determined based on
|
||||
the acquires received from the kernel. Host <b>dave</b> additionally limits the remote
|
||||
hosts to <b>moon</b> and <b>sun</b> with <b>rightsubnet</b>. This is tested by
|
||||
pinging <b>sun</b> and <b>carol</b> from <b>moon</b>, <b>carol</b> from <b>sun</b>, and
|
||||
<b>sun</b> and <b>moon</b> from <b>dave</b>. The latter also pings <b>carol</b>, which
|
||||
is not going to be encrypted as <b>carol</b> is not part of the configured <b>rightsubnet</b>.
|
|
@ -0,0 +1,33 @@
|
|||
moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
|
||||
moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
|
||||
sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
|
||||
dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
|
||||
dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
|
||||
dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
|
||||
moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
|
||||
moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
|
||||
moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES
|
||||
sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
|
||||
sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES
|
||||
sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES
|
||||
dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES
|
||||
dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES
|
||||
carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES
|
||||
carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES
|
||||
carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO
|
||||
moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
|
||||
sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
|
||||
dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
|
||||
carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,16 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="knl 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn trap-any
|
||||
right=%any
|
||||
type=transport
|
||||
authby=psk
|
||||
auto=add
|
|
@ -0,0 +1 @@
|
|||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="knl 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn trap-any
|
||||
right=%any
|
||||
rightsubnet=192.168.0.0/30
|
||||
type=transport
|
||||
authby=psk
|
||||
auto=route
|
||||
|
|
@ -0,0 +1 @@
|
|||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="knl 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
# to access the host via SSH in the test environment
|
||||
conn pass-ssh
|
||||
authby=never
|
||||
leftsubnet=0.0.0.0/0[tcp/22]
|
||||
rightsubnet=0.0.0.0/0[tcp]
|
||||
type=pass
|
||||
auto=route
|
||||
|
||||
conn trap-any
|
||||
right=%any
|
||||
type=transport
|
||||
authby=psk
|
||||
auto=route
|
|
@ -0,0 +1 @@
|
|||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="knl 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
# to access the host via SSH in the test environment
|
||||
conn pass-ssh
|
||||
authby=never
|
||||
leftsubnet=0.0.0.0/0[tcp/22]
|
||||
rightsubnet=0.0.0.0/0[tcp]
|
||||
type=pass
|
||||
auto=route
|
||||
|
||||
conn trap-any
|
||||
right=%any
|
||||
type=transport
|
||||
authby=psk
|
||||
auto=route
|
||||
|
|
@ -0,0 +1 @@
|
|||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
|
@ -0,0 +1,5 @@
|
|||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="moon winnetou sun carol dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d-s.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun carol"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun carol dave"
|
Loading…
Reference in New Issue