ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

testing: migrated openssl-ikev2/critical-extension to swanctl

This commit is contained in:
Andreas Steffen 2018-11-12 11:50:05 +01:00
parent 97493cbe17
commit e259ff3979
13 changed files with 73 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
testing/tests/openssl-ikev2/critical-extension/description.txt
View File

@ -1,5 +1,5 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
<b>sun</b> discards such certificates and aborts the connection setup.

2
testing/tests/openssl-ikev2/critical-extension/evaltest.dat
View File

@ -1,6 +1,4 @@
moon::cat /var/log/daemon.log::sending end entity cert::YES
moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES

4
testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
View File

@ -1,9 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
multiple_authentication = no
}
libstrongswan {
x509 {
enforce_critical = no
}

0
testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem → testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
View File

26
testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf Executable file
View File

@ -0,0 +1,26 @@
connections {
gw-gw {
local_addrs = 192.168.0.1
remote_addrs = 192.168.0.2
local {
auth = pubkey
id = moon.strongswan.org
}
remote {
auth = pubkey
id = sun.strongswan.org
}
children {
net-net {
local_ts = 10.1.0.0/16
remote_ts = 10.2.0.0/16
esp_proposals = aes128gcm128-ecp256
}
}
version = 2
mobike = no
proposals = aes128-sha256-ecp256
}
}

0
testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der → testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
View File

2
testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
View File

@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
multiple_authentication = no
}

0
testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem → testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
View File

26
testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf Executable file
View File

@ -0,0 +1,26 @@
connections {
gw-gw {
local_addrs = 192.168.0.2
remote_addrs = 192.168.0.1
local {
auth = pubkey
id = sun.strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
net-net {
local_ts = 10.2.0.0/16
remote_ts = 10.1.0.0/16
esp_proposals = aes128gcm128-ecp256
}
}
version = 2
mobike = no
proposals = aes128-sha256-ecp256
}
}

0
testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der → testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
View File

9
testing/tests/openssl-ikev2/critical-extension/posttest.dat
View File

@ -1,5 +1,4 @@
moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::systemctl stop strongswan-swanctl
sun::systemctl stop strongswan-swanctl
moon::rm /etc/swanctl/x509/moonCert.der
sun::rm /etc/swanctl/x509/sunCert.der

14
testing/tests/openssl-ikev2/critical-extension/pretest.dat
View File

@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
moon::expect-connection net-net
sun::expect-connection net-net
moon::ipsec up net-net
moon::rm /etc/swanctl/x509/moonCert.pem
sun::rm /etc/swanctl/x509/sunCert.pem
moon::systemctl start strongswan-swanctl
sun::systemctl start strongswan-swanctl
moon::expect-connection gw-gw
sun::expect-connection gw-gw
moon::swanctl --initiate --child net-net 2> /dev/null

6
testing/tests/openssl-ikev2/critical-extension/test.conf
View File

@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS=""
@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
# charon controlled by swanctl
#
SWANCTL=1