testing: Add ikev2/reauth-mbb-revoked scenario

2015-10-27 17:42:45 +01:00 · 2015-10-27 17:42:45 +01:00 · dc57c1b817
parent d163aa5eaf
commit dc57c1b817
9 changed files with 105 additions and 0 deletions
--- a/testing/tests/ikev2/reauth-mbb-revoked/description.txt
+++ b/testing/tests/ikev2/reauth-mbb-revoked/description.txt
@ -0,0 +1,15 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
+<p/>
+Because the responder is always able to install CHILD_SAs before the initiator
+is, some traffic sent by the responder over such a CHILD_SA might get dropped by
+the initiator (until it also installed the CHILD_SA).  This is particularly
+problematic if OCSP/CRL checks are delayed or if they can also be done via the
+IPsec tunnel once it's established.  Therefore, online OCSP/CRL checks are
+suspended during the reauthentication and done afterwards. This is verified here
+by revoking the responder's certificate after the SA got initially established.
--- a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat
+++ b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat
@ -0,0 +1,10 @@
+winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak
+winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl
+carol::ipsec purgecrls
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::sleep 6
+carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES
+carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::NO
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf
@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+
+conn %default
+	keylife=20m
+	ikelifetime=10s
+	rekeymargin=5s
+	rekeyfuzz=0%
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+  make_before_break = yes
+}
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf
@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=30m
+	keylife=20m
+	rekeymargin=0s
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	keyexchange=ikev2
+	auto=add
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- a/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat
+++ b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat
@ -0,0 +1,3 @@
+winnetou::cp /var/www/strongswan.crl.bak /var/www/strongswan.crl
+moon::ipsec stop
+carol::ipsec stop
--- a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat
+++ b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat
@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::expect-connection home
+carol::ipsec up home
--- a/testing/tests/ikev2/reauth-mbb-revoked/test.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"