From eba2622587a18cd41ed03f3563882f189110f8dc Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Wed, 26 May 2021 09:40:42 +0200 Subject: [PATCH] testing: Migrate ikev2-stroke-bye scenarios to vici --- testing/tests/ikev1/nat-rw/evaltest.dat | 2 +- testing/tests/ikev2-stroke-bye/.gitignore | 4 - .../any-interface/description.txt | 8 - .../any-interface/evaltest.dat | 21 - .../any-interface/hosts/alice/etc/ipsec.conf | 21 - .../hosts/alice/etc/strongswan.conf | 6 - .../any-interface/hosts/bob/etc/ipsec.conf | 22 - .../any-interface/hosts/moon/etc/ipsec.conf | 27 -- .../any-interface/hosts/sun/etc/ipsec.conf | 21 - .../any-interface/posttest.dat | 6 - .../any-interface/pretest.dat | 13 - .../ikev2-stroke-bye/any-interface/test.conf | 21 - .../compress-nat/evaltest.dat | 22 - .../compress-nat/hosts/alice/etc/ipsec.conf | 24 - .../compress-nat/hosts/bob/etc/ipsec.conf | 24 - .../compress-nat/hosts/carol/etc/ipsec.conf | 23 - .../crl-from-cache/evaltest.dat | 12 - .../crl-from-cache/hosts/carol/etc/ipsec.conf | 21 - .../crl-from-cache/hosts/moon/etc/ipsec.conf | 19 - .../crl-from-cache/posttest.dat | 4 - .../crl-from-cache/pretest.dat | 9 - .../dhcp-static-client-id/evaltest.dat | 26 -- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 20 - .../dhcp-static-mac/evaltest.dat | 26 -- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 5 - .../dhcp-static-mac/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 5 - .../dhcp-static-mac/hosts/moon/etc/ipsec.conf | 20 - .../ikev2-stroke-bye/dpd-hold/description.txt | 7 - .../ikev2-stroke-bye/dpd-hold/evaltest.dat | 14 - .../dpd-hold/hosts/carol/etc/ipsec.conf | 22 - .../dpd-hold/hosts/moon/etc/ipsec.conf | 21 - .../ikev2-stroke-bye/dpd-hold/posttest.dat | 2 - .../ikev2-stroke-bye/dpd-hold/pretest.dat | 5 - .../ikev2-stroke-bye/farp/description.txt | 6 - .../tests/ikev2-stroke-bye/farp/evaltest.dat | 26 -- .../farp/hosts/carol/etc/ipsec.conf | 21 - .../farp/hosts/carol/etc/strongswan.conf | 5 - .../farp/hosts/dave/etc/ipsec.conf | 21 - .../farp/hosts/dave/etc/strongswan.conf | 5 - .../farp/hosts/moon/etc/ipsec.conf | 27 -- .../farp/hosts/moon/etc/strongswan.conf | 7 - .../force-udp-encaps/description.txt | 6 - .../force-udp-encaps/evaltest.dat | 8 - .../hosts/alice/etc/ipsec.conf | 21 - .../force-udp-encaps/hosts/sun/etc/ipsec.conf | 20 - .../ikev2-stroke-bye/forecast/evaltest.dat | 20 - .../forecast/hosts/carol/etc/ipsec.conf | 21 - .../forecast/hosts/carol/etc/strongswan.conf | 5 - .../forecast/hosts/dave/etc/ipsec.conf | 21 - .../forecast/hosts/dave/etc/strongswan.conf | 5 - .../forecast/hosts/moon/etc/ipsec.conf | 22 - .../ikev2-stroke-bye/forecast/pretest.dat | 8 - .../host2host-transport-connmark/evaltest.dat | 8 - .../hosts/alice/etc/ipsec.conf | 17 - .../hosts/alice/etc/strongswan.conf | 5 - .../hosts/sun/etc/ipsec.conf | 18 - .../hosts/venus/etc/ipsec.conf | 17 - .../hosts/venus/etc/strongswan.conf | 5 - .../host2host-transport-connmark/posttest.dat | 5 - .../inactivity-timeout/evaltest.dat | 8 - .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 19 - .../inactivity-timeout/posttest.dat | 3 - .../inactivity-timeout/pretest.dat | 6 - .../hosts/carol/etc/strongswan.conf | 5 - .../ikev2-stroke-bye/ip-pool-wish/test.conf | 21 - .../ip-split-pools-db/evaltest.dat | 19 - .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 15 - .../ip-split-pools-db/posttest.dat | 5 - .../ip-two-pools-mixed/description.txt | 9 - .../ip-two-pools-mixed/evaltest.dat | 21 - .../hosts/alice/etc/ipsec.conf | 20 - .../hosts/alice/etc/strongswan.conf | 5 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/strongswan.conf | 15 - .../ip-two-pools-mixed/posttest.dat | 7 - .../ip-two-pools-v4v6-db/evaltest.dat | 9 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/strongswan.conf | 15 - .../ip-two-pools-v4v6-db/posttest.dat | 3 - .../ip-two-pools-v4v6/description.txt | 5 - .../ip-two-pools-v4v6/evaltest.dat | 9 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/strongswan.conf | 5 - .../ip-two-pools-v4v6/posttest.dat | 3 - .../ip-two-pools-v4v6/pretest.dat | 6 - .../ip-two-pools-v4v6/test.conf | 21 - .../ikev2-stroke-bye/lookip/description.txt | 13 - .../ikev2-stroke-bye/lookip/evaltest.dat | 22 - .../lookip/hosts/carol/etc/ipsec.conf | 21 - .../lookip/hosts/carol/etc/strongswan.conf | 5 - .../lookip/hosts/dave/etc/ipsec.conf | 21 - .../lookip/hosts/dave/etc/strongswan.conf | 5 - .../lookip/hosts/moon/etc/ipsec.conf | 20 - .../lookip/hosts/moon/etc/strongswan.conf | 5 - .../tests/ikev2-stroke-bye/lookip/pretest.dat | 12 - .../nat-rw-mark/description.txt | 16 - .../ikev2-stroke-bye/nat-rw-mark/evaltest.dat | 18 - .../nat-rw-mark/hosts/alice/etc/ipsec.conf | 22 - .../hosts/alice/etc/strongswan.conf | 5 - .../nat-rw-mark/hosts/sun/etc/ipsec.conf | 29 -- .../nat-rw-mark/hosts/sun/etc/mark_updown | 417 ------------------ .../nat-rw-mark/hosts/venus/etc/ipsec.conf | 22 - .../hosts/venus/etc/strongswan.conf | 5 - .../net2net-cert-sha2/evaltest.dat | 9 - .../hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/strongswan.conf | 5 - .../hosts/sun/etc/ipsec.conf | 23 - .../hosts/sun/etc/strongswan.conf | 5 - .../net2net-cert-sha2/pretest.dat | 7 - .../net2net-dnscert/evaltest.dat | 9 - .../net2net-dnscert/hosts/moon/etc/ipsec.conf | 26 -- .../net2net-dnscert/hosts/sun/etc/ipsec.conf | 26 -- .../net2net-multicast/description.txt | 7 - .../net2net-multicast/evaltest.dat | 16 - .../hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/strongswan.conf | 13 - .../hosts/sun/etc/ipsec.conf | 23 - .../hosts/sun/etc/strongswan.conf | 13 - .../net2net-multicast/posttest.dat | 2 - .../net2net-multicast/pretest.dat | 7 - .../net2net-multicast/test.conf | 21 - .../net2net-ntru-bandwidth/evaltest.dat | 9 - .../hosts/moon/etc/ipsec.conf | 22 - .../hosts/sun/etc/ipsec.conf | 22 - .../net2net-ntru-bandwidth/pretest.dat | 7 - .../net2net-pgp-v4/pretest.dat | 9 - .../net2net-psk-dscp/evaltest.dat | 8 - .../hosts/moon/etc/ipsec.conf | 32 -- .../hosts/moon/etc/ipsec.secrets | 3 - .../net2net-psk-dscp/hosts/sun/etc/ipsec.conf | 32 -- .../hosts/sun/etc/ipsec.secrets | 7 - .../hosts/sun/etc/strongswan.conf | 11 - .../net2net-rekey/evaltest.dat | 14 - .../net2net-rekey/hosts/moon/etc/ipsec.conf | 21 - .../hosts/moon/etc/strongswan.conf | 12 - .../net2net-rekey/hosts/sun/etc/ipsec.conf | 22 - .../hosts/sun/etc/strongswan.conf | 5 - .../net2net-rekey/pretest.dat | 7 - .../net2net-same-nets/evaltest.dat | 12 - .../hosts/moon/etc/ipsec.conf | 22 - .../hosts/moon/etc/strongswan.conf | 6 - .../hosts/sun/etc/ipsec.conf | 24 - .../hosts/sun/etc/strongswan.conf | 6 - .../net2net-same-nets/pretest.dat | 7 - .../protoport-route/description.txt | 8 - .../protoport-route/evaltest.dat | 10 - .../hosts/carol/etc/ipsec.conf | 26 -- .../hosts/carol/etc/strongswan.conf | 5 - .../protoport-route/hosts/moon/etc/ipsec.conf | 26 -- .../hosts/moon/etc/strongswan.conf | 5 - .../protoport-route/pretest.dat | 10 - .../reauth-early/evaltest.dat | 6 - .../reauth-early/hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/strongswan.conf | 5 - .../reauth-early/hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/strongswan.conf | 5 - .../ikev2-stroke-bye/reauth-late/evaltest.dat | 7 - .../reauth-late/hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/strongswan.conf | 5 - .../reauth-late/hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/strongswan.conf | 5 - .../reauth-mbb-revoked/evaltest.dat | 10 - .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 7 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/strongswan.conf | 5 - .../reauth-mbb-revoked/pretest.dat | 5 - .../reauth-mbb-virtual-ip/evaltest.dat | 7 - .../hosts/carol/etc/ipsec.conf | 22 - .../hosts/carol/etc/strongswan.conf | 7 - .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 5 - .../reauth-mbb-virtual-ip/test.conf | 21 - .../ikev2-stroke-bye/reauth-mbb/evaltest.dat | 7 - .../reauth-mbb/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 7 - .../reauth-mbb/hosts/moon/etc/ipsec.conf | 19 - .../reauth-mbb/hosts/moon/etc/strongswan.conf | 5 - .../ikev2-stroke-bye/reauth-mbb/test.conf | 21 - .../rw-eap-aka-sql-rsa/description.txt | 9 - .../rw-eap-aka-sql-rsa/evaltest.dat | 14 - .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/ipsec.d/data.sql | 9 - .../hosts/carol/etc/ipsec.d/tables.sql | 10 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/ipsec.d/data.sql | 9 - .../hosts/moon/etc/ipsec.d/tables.sql | 10 - .../hosts/moon/etc/strongswan.conf | 11 - .../rw-eap-aka-sql-rsa/posttest.dat | 4 - .../rw-eap-aka-sql-rsa/pretest.dat | 9 - .../rw-eap-dynamic/evaltest.dat | 23 - .../rw-eap-dynamic/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../rw-eap-dynamic/hosts/dave/etc/ipsec.conf | 22 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 5 - .../rw-eap-dynamic/hosts/moon/etc/ipsec.conf | 22 - .../hosts/moon/etc/ipsec.secrets | 5 - .../hosts/moon/etc/strongswan.conf | 12 - .../rw-eap-dynamic/pretest.dat | 11 - .../ikev2-stroke-bye/rw-eap-dynamic/test.conf | 21 - .../rw-eap-framed-ip-radius/evaltest.dat | 26 -- .../hosts/carol/etc/ipsec.conf | 22 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/dave/etc/ipsec.conf | 22 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/ipsec.secrets | 3 - .../rw-eap-framed-ip-radius/pretest.dat | 12 - .../rw-eap-md5-class-radius/evaltest.dat | 26 -- .../hosts/carol/etc/ipsec.conf | 29 -- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/ipsec.conf | 29 -- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 33 -- .../hosts/moon/etc/ipsec.secrets | 3 - .../rw-eap-md5-class-radius/pretest.dat | 17 - .../hosts/carol/etc/ipsec.secrets | 1 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/strongswan.conf | 5 - .../rw-eap-md5-id-prompt/posttest.dat | 4 - .../rw-eap-tls-fragments/evaltest.dat | 9 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 17 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 17 - .../rw-eap-tls-fragments/posttest.dat | 10 - .../rw-eap-tls-fragments/pretest.dat | 9 - .../rw-eap-tls-fragments/test.conf | 21 - .../rw-mark-in-out/description.txt | 16 - .../rw-mark-in-out/evaltest.dat | 16 - .../rw-mark-in-out/hosts/alice/etc/ipsec.conf | 22 - .../hosts/alice/etc/strongswan.conf | 5 - .../rw-mark-in-out/hosts/sun/etc/ipsec.conf | 31 -- .../rw-mark-in-out/hosts/sun/etc/mark_updown | 417 ------------------ .../rw-mark-in-out/hosts/venus/etc/ipsec.conf | 22 - .../hosts/venus/etc/strongswan.conf | 5 - .../rw-mark-in-out/pretest.dat | 17 - .../rw-ntru-psk/description.txt | 13 - .../ikev2-stroke-bye/rw-ntru-psk/evaltest.dat | 22 - .../rw-ntru-psk/hosts/carol/etc/ipsec.conf | 23 - .../rw-ntru-psk/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../rw-ntru-psk/hosts/dave/etc/ipsec.conf | 23 - .../rw-ntru-psk/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../rw-ntru-psk/hosts/moon/etc/ipsec.conf | 22 - .../rw-ntru-psk/hosts/moon/etc/ipsec.secrets | 5 - .../hosts/moon/etc/strongswan.conf | 6 - .../ikev2-stroke-bye/rw-ntru-psk/posttest.dat | 6 - .../ikev2-stroke-bye/rw-ntru-psk/pretest.dat | 14 - .../ikev2-stroke-bye/rw-ntru-psk/test.conf | 21 - .../rw-psk-no-idr/description.txt | 6 - .../rw-psk-no-idr/evaltest.dat | 14 - .../rw-psk-no-idr/hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../rw-psk-no-idr/hosts/dave/etc/ipsec.conf | 20 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 5 - .../rw-psk-no-idr/hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/ipsec.secrets | 5 - .../hosts/moon/etc/strongswan.conf | 5 - .../rw-psk-no-idr/posttest.dat | 6 - .../rw-psk-no-idr/pretest.dat | 14 - .../rw-psk-rsa-mixed/description.txt | 6 - .../rw-psk-rsa-mixed/evaltest.dat | 14 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/ipsec.conf | 20 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 26 -- .../hosts/moon/etc/ipsec.secrets | 7 - .../hosts/moon/etc/strongswan.conf | 5 - .../rw-psk-rsa-mixed/posttest.dat | 6 - .../rw-psk-rsa-mixed/pretest.dat | 13 - .../rw-psk-rsa-split/description.txt | 8 - .../rw-psk-rsa-split/evaltest.dat | 17 - .../hosts/carol/etc/ipsec.conf | 22 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/ipsec.conf | 22 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/ipsec.secrets | 7 - .../hosts/moon/etc/strongswan.conf | 5 - .../rw-psk-rsa-split/posttest.dat | 6 - .../rw-radius-accounting/evaltest.dat | 14 - .../hosts/carol/etc/ipsec.conf | 23 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/moon/etc/ipsec.conf | 25 -- .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 12 - .../ikev2-stroke-bye/rw-sig-auth/evaltest.dat | 20 - .../rw-sig-auth/hosts/carol/etc/ipsec.conf | 29 -- .../hosts/carol/etc/strongswan.conf | 5 - .../rw-sig-auth/hosts/dave/etc/ipsec.conf | 29 -- .../hosts/dave/etc/strongswan.conf | 5 - .../rw-sig-auth/hosts/moon/etc/ipsec.conf | 30 -- .../rw-sig-auth/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 5 - .../ikev2-stroke-bye/rw-sig-auth/posttest.dat | 6 - .../ikev2-stroke-bye/rw-sig-auth/pretest.dat | 16 - .../ikev2-stroke-bye/rw-sig-auth/test.conf | 26 -- .../rw-whitelist/description.txt | 3 - .../rw-whitelist/evaltest.dat | 19 - .../rw-whitelist/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 5 - .../rw-whitelist/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 5 - .../rw-whitelist/hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 10 - .../rw-whitelist/posttest.dat | 6 - .../ikev2-stroke-bye/trap-any/evaltest.dat | 33 -- .../trap-any/hosts/carol/etc/ipsec.conf | 13 - .../trap-any/hosts/carol/etc/ipsec.secrets | 1 - .../trap-any/hosts/carol/etc/strongswan.conf | 11 - .../trap-any/hosts/dave/etc/ipsec.conf | 15 - .../trap-any/hosts/dave/etc/ipsec.secrets | 1 - .../trap-any/hosts/dave/etc/strongswan.conf | 11 - .../trap-any/hosts/moon/etc/ipsec.conf | 21 - .../trap-any/hosts/moon/etc/ipsec.secrets | 1 - .../trap-any/hosts/moon/etc/strongswan.conf | 11 - .../trap-any/hosts/sun/etc/ipsec.conf | 22 - .../trap-any/hosts/sun/etc/ipsec.secrets | 1 - .../trap-any/hosts/sun/etc/strongswan.conf | 11 - .../ikev2-stroke-bye/trap-any/posttest.dat | 4 - .../ikev2-stroke-bye/trap-any/pretest.dat | 5 - .../hosts/carol/etc/strongswan.conf | 5 - .../hosts/dave/etc/strongswan.conf | 5 - .../hosts/moon/etc/strongswan.conf | 5 - .../virtual-ip-override/posttest.dat | 6 - .../ikev2-stroke-bye/wildcards/evaltest.dat | 8 - .../wildcards/hosts/carol/etc/ipsec.conf | 22 - .../wildcards/hosts/carol/etc/strongswan.conf | 5 - .../wildcards/hosts/dave/etc/ipsec.conf | 22 - .../wildcards/hosts/moon/etc/ipsec.conf | 26 -- .../ikev2-stroke-bye/wildcards/posttest.dat | 3 - .../ikev2-stroke-bye/wildcards/pretest.dat | 13 - .../ikev2-stroke-bye/wildcards/test.conf | 21 - .../ip-pool-wish/description.txt | 0 .../ip-pool-wish/evaltest.dat | 0 .../ip-pool-wish/hosts/carol/etc/ipsec.conf | 0 .../hosts/carol/etc/strongswan.conf | 0 .../ip-pool-wish/hosts/dave/etc/ipsec.conf | 0 .../hosts/dave}/etc/strongswan.conf | 0 .../ip-pool-wish/hosts/moon/etc/ipsec.conf | 0 .../hosts/moon}/etc/strongswan.conf | 0 .../ip-pool-wish/posttest.dat | 0 .../ip-pool-wish/pretest.dat | 0 .../ip-pool-wish}/test.conf | 0 .../net2net-pgp-v3/description.txt | 0 .../net2net-pgp-v3/evaltest.dat | 0 .../net2net-pgp-v3/hosts/moon/etc/ipsec.conf | 0 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 0 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 0 .../moon/etc/ipsec.d/private/moonKey.asc | 0 .../hosts/moon/etc/ipsec.secrets | 0 .../hosts/moon/etc/strongswan.conf | 0 .../net2net-pgp-v3/hosts/sun/etc/ipsec.conf | 0 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 0 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 0 .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 0 .../hosts/sun/etc/ipsec.secrets | 0 .../hosts/sun/etc/strongswan.conf | 0 .../net2net-pgp-v3/posttest.dat | 0 .../net2net-pgp-v3}/pretest.dat | 0 .../net2net-pgp-v3}/test.conf | 0 .../net2net-pgp-v4/description.txt | 0 .../net2net-pgp-v4/evaltest.dat | 0 .../net2net-pgp-v4/hosts/moon/etc/ipsec.conf | 0 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 0 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 0 .../moon/etc/ipsec.d/private/moonKey.asc | 0 .../hosts/moon/etc/ipsec.secrets | 0 .../hosts/moon/etc/strongswan.conf | 0 .../net2net-pgp-v4/hosts/sun/etc/ipsec.conf | 0 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 0 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 0 .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 0 .../hosts/sun/etc/ipsec.secrets | 0 .../hosts/sun/etc/strongswan.conf | 0 .../net2net-pgp-v4/posttest.dat | 0 .../net2net-pgp-v4}/pretest.dat | 0 .../net2net-pgp-v4}/test.conf | 0 .../rw-eap-md5-id-prompt/description.txt | 0 .../rw-eap-md5-id-prompt/evaltest.dat | 0 .../hosts/carol/etc/ipsec.conf | 0 .../hosts/carol/etc/ipsec.secrets | 0 .../hosts/carol/etc/strongswan.conf | 0 .../hosts/moon/etc/ipsec.conf | 0 .../hosts/moon/etc/ipsec.secrets | 0 .../hosts/moon}/etc/strongswan.conf | 0 .../rw-eap-md5-id-prompt}/posttest.dat | 0 .../rw-eap-md5-id-prompt/pretest.dat | 0 .../rw-eap-md5-id-prompt}/test.conf | 0 .../virtual-ip-override/description.txt | 0 .../virtual-ip-override/evaltest.dat | 0 .../hosts/carol/etc/ipsec.conf | 0 .../hosts/carol/etc/strongswan.conf | 0 .../hosts/dave/etc/ipsec.conf | 0 .../hosts/dave}/etc/strongswan.conf | 0 .../hosts/moon/etc/ipsec.conf | 0 .../hosts/moon}/etc/strongswan.conf | 0 .../virtual-ip-override}/posttest.dat | 0 .../virtual-ip-override/pretest.dat | 0 .../virtual-ip-override/test.conf | 0 .../compress-nat/description.txt | 0 testing/tests/ikev2/compress-nat/evaltest.dat | 19 + .../hosts/alice}/etc/strongswan.conf | 2 +- .../hosts/alice/etc/swanctl/swanctl.conf | 29 ++ .../hosts/bob/etc/strongswan.conf | 5 + .../hosts/bob/etc/swanctl/swanctl.conf | 29 ++ .../hosts/carol/etc/iptables.rules | 0 .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 ++ .../compress-nat/posttest.dat | 6 +- .../compress-nat/pretest.dat | 10 +- .../compress-nat/test.conf | 4 + .../crl-from-cache/description.txt | 4 +- .../tests/ikev2/crl-from-cache/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 23 + .../hosts/moon/etc/strongswan.conf | 11 + .../hosts/moon/etc/swanctl/swanctl.conf | 21 + .../tests/ikev2/crl-from-cache/posttest.dat | 4 + .../tests/ikev2/crl-from-cache/pretest.dat | 9 + .../crl-from-cache/test.conf | 3 + .../tests/ikev2/dhcp-dynamic/description.txt | 13 +- .../dhcp-static-client-id/description.txt | 8 +- .../ikev2/dhcp-static-client-id/evaltest.dat | 22 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 26 ++ .../hosts/venus/etc/dhcp/dhcpd.conf | 0 .../hosts/venus/etc/dnsmasq.conf | 0 .../dhcp-static-client-id}/posttest.dat | 8 +- .../dhcp-static-client-id}/pretest.dat | 10 +- .../dhcp-static-client-id}/test.conf | 4 + .../dhcp-static-mac/description.txt | 10 +- .../tests/ikev2/dhcp-static-mac/evaltest.dat | 22 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 26 ++ .../hosts/venus/etc/dhcp/dhcpd.conf | 0 .../hosts/venus/etc/dnsmasq.conf | 0 .../dhcp-static-mac}/posttest.dat | 8 +- .../dhcp-static-mac}/pretest.dat | 10 +- .../dhcp-static-mac}/test.conf | 4 + testing/tests/ikev2/dpd-trap/description.txt | 13 + testing/tests/ikev2/dpd-trap/evaltest.dat | 17 + .../dpd-trap/hosts/carol}/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++ .../dpd-trap}/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 26 ++ testing/tests/ikev2/dpd-trap/posttest.dat | 3 + testing/tests/ikev2/dpd-trap/pretest.dat | 5 + .../dpd-trap}/test.conf | 6 +- testing/tests/ikev2/farp/description.txt | 7 + testing/tests/ikev2/farp/evaltest.dat | 28 ++ .../farp/hosts/carol/etc/strongswan.conf | 9 + .../farp/hosts/carol/etc/swanctl/swanctl.conf | 28 ++ .../ikev2/farp/hosts/dave/etc/strongswan.conf | 9 + .../farp/hosts/dave/etc/swanctl/swanctl.conf | 28 ++ .../ikev2/farp/hosts/moon/etc/strongswan.conf | 11 + .../farp/hosts/moon/etc/swanctl/swanctl.conf | 34 ++ .../hosts/moon/etc/swanctl/swanctl_base.conf | 17 + testing/tests/ikev2/farp/posttest.dat | 8 + .../farp/pretest.dat | 11 +- .../rw-psk-no-idr => ikev2/farp}/test.conf | 4 + .../ikev2/force-udp-encap/description.txt | 7 + .../tests/ikev2/force-udp-encap/evaltest.dat | 6 + .../hosts/alice/etc/strongswan.conf | 5 + .../hosts/alice/etc/swanctl/swanctl.conf | 28 ++ .../hosts/sun/etc/iptables.rules | 0 .../hosts/sun/etc/strongswan.conf | 5 + .../hosts/sun/etc/swanctl/swanctl.conf | 26 ++ .../force-udp-encap}/posttest.dat | 4 +- .../force-udp-encap}/pretest.dat | 6 +- .../force-udp-encap}/test.conf | 4 + .../forecast/description.txt | 0 testing/tests/ikev2/forecast/evaltest.dat | 16 + .../forecast}/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 29 ++ .../forecast/hosts/dave}/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 29 ++ .../forecast/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 37 ++ .../forecast}/posttest.dat | 6 +- testing/tests/ikev2/forecast/pretest.dat | 8 + .../forecast/test.conf | 4 + .../description.txt | 0 .../host2host-transport-connmark/evaltest.dat | 8 + .../hosts/alice/etc/strongswan.conf | 5 + .../hosts/alice/etc/swanctl/swanctl.conf | 24 + .../hosts/sun}/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 27 ++ .../hosts/venus/etc/strongswan.conf | 5 + .../hosts/venus/etc/swanctl/swanctl.conf | 24 + .../host2host-transport-connmark/posttest.dat | 5 + .../host2host-transport-connmark/pretest.dat | 10 +- .../host2host-transport-connmark/test.conf | 4 + .../hosts/venus/etc/ipsec.conf | 18 - .../inactivity-timeout/description.txt | 0 .../ikev2/inactivity-timeout/evaltest.dat | 10 + .../hosts/carol}/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++ .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/moon/etc/swanctl/swanctl.conf | 24 + .../ikev2/inactivity-timeout/posttest.dat | 2 + .../ikev2/inactivity-timeout/pretest.dat | 5 + .../inactivity-timeout}/test.conf | 8 +- .../ip-split-pools-db/description.txt | 5 +- .../ikev2/ip-split-pools-db/evaltest.dat | 14 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 ++ .../hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 24 + .../ikev2/ip-split-pools-db/posttest.dat | 5 + .../ip-split-pools-db/pretest.dat | 10 +- .../ip-split-pools-db/test.conf | 6 +- .../ikev2/ip-two-pools-mixed/description.txt | 9 + .../ikev2/ip-two-pools-mixed/evaltest.dat | 17 + .../hosts/alice/etc/strongswan.conf | 9 + .../hosts/alice/etc/swanctl/swanctl.conf | 26 ++ .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 52 +++ .../ikev2/ip-two-pools-mixed/posttest.dat | 8 + .../ip-two-pools-mixed/pretest.dat | 14 +- .../ip-two-pools-mixed/test.conf | 10 +- .../ip-two-pools-v4v6-db/description.txt | 6 +- .../ikev2/ip-two-pools-v4v6-db/evaltest.dat | 11 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 ++ .../hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 23 + .../ikev2/ip-two-pools-v4v6-db/posttest.dat | 3 + .../ip-two-pools-v4v6-db/pretest.dat | 10 +- .../ip-two-pools-v4v6-db/test.conf | 8 +- .../ikev2/ip-two-pools-v4v6/description.txt | 5 + .../ikev2/ip-two-pools-v4v6/evaltest.dat | 7 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../ikev2/ip-two-pools-v4v6/posttest.dat | 3 + .../tests/ikev2/ip-two-pools-v4v6/pretest.dat | 6 + .../tests/ikev2/ip-two-pools-v4v6/test.conf | 25 ++ testing/tests/ikev2/ip-two-pools/pretest.dat | 3 +- testing/tests/ikev2/lookip/description.txt | 13 + testing/tests/ikev2/lookip/evaltest.dat | 18 + .../lookip/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++ .../lookip/hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++ .../lookip/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 31 ++ .../lookip/posttest.dat | 6 +- .../lookip}/pretest.dat | 10 +- .../rw-whitelist => ikev2/lookip}/test.conf | 4 + .../tests/ikev2/nat-rw-mark/description.txt | 13 + testing/tests/ikev2/nat-rw-mark/evaltest.dat | 14 + .../hosts/alice/etc/strongswan.conf | 5 + .../hosts/alice/etc/swanctl/swanctl.conf | 28 ++ .../nat-rw-mark/hosts/sun/etc/iptables.rules | 0 .../nat-rw-mark/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 52 +++ .../hosts/venus/etc/strongswan.conf | 5 + .../hosts/venus/etc/swanctl/swanctl.conf | 28 ++ .../nat-rw-mark/posttest.dat | 8 +- .../nat-rw-mark/pretest.dat | 20 +- .../nat-rw-mark}/test.conf | 4 + testing/tests/ikev2/nat-rw-psk/evaltest.dat | 2 +- testing/tests/ikev2/nat-rw/evaltest.dat | 2 +- .../net2net-cert-sha2/description.txt | 2 +- .../ikev2/net2net-cert-sha2/evaltest.dat | 7 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 29 ++ .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 29 ++ .../net2net-cert-sha2}/posttest.dat | 4 +- .../tests/ikev2/net2net-cert-sha2/pretest.dat | 7 + .../net2net-cert-sha2}/test.conf | 4 + .../net2net-dnscert/description.txt | 4 +- .../tests/ikev2/net2net-dnscert/evaltest.dat | 7 + .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/resolv.conf | 0 .../hosts/moon/etc/strongswan.conf | 12 +- .../hosts/moon/etc/swanctl}/dnssec.keys | 0 .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../hosts/sun/etc/iptables.rules | 0 .../net2net-dnscert/hosts/sun/etc/resolv.conf | 0 .../hosts/sun/etc/strongswan.conf | 12 +- .../hosts/sun/etc/swanctl}/dnssec.keys | 0 .../hosts/sun/etc/swanctl/swanctl.conf | 32 ++ .../net2net-dnscert/posttest.dat | 12 +- .../tests/ikev2/net2net-dnscert/pretest.dat | 9 + .../net2net-dnscert}/test.conf | 4 + .../tests/ikev2/net2net-dnssec/posttest.dat | 2 + .../net2net-ntru-bandwidth/description.txt | 4 +- .../ikev2/net2net-ntru-bandwidth/evaltest.dat | 5 + .../hosts/moon}/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 ++ .../hosts/sun}/etc/strongswan.conf | 10 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 ++ .../net2net-ntru-bandwidth/posttest.dat | 5 +- .../ikev2/net2net-ntru-bandwidth/pretest.dat | 7 + .../net2net-ntru-bandwidth/test.conf | 4 + .../net2net-psk-dscp/description.txt | 4 +- .../tests/ikev2/net2net-psk-dscp/evaltest.dat | 8 + .../hosts/moon/etc/strongswan.conf | 10 + .../hosts/moon/etc/swanctl/swanctl.conf | 54 +++ .../hosts/sun}/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 64 +++ .../net2net-psk-dscp/posttest.dat | 4 +- .../net2net-psk-dscp/pretest.dat | 12 +- .../net2net-psk-dscp/test.conf | 6 +- .../net2net-rekey/description.txt | 6 +- .../tests/ikev2/net2net-rekey/evaltest.dat | 12 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 34 ++ .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 29 ++ .../net2net-rekey}/posttest.dat | 5 +- testing/tests/ikev2/net2net-rekey/pretest.dat | 7 + .../net2net-rekey/test.conf | 4 + .../tests/ikev2/net2net-route/description.txt | 4 +- .../net2net-same-nets/description.txt | 11 +- .../ikev2/net2net-same-nets/evaltest.dat | 10 + .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/moon/etc/swanctl/swanctl.conf | 28 ++ .../hosts/sun/etc/mark_updown | 24 +- .../hosts/sun/etc/strongswan.conf | 5 + .../hosts/sun/etc/swanctl/swanctl.conf | 32 ++ .../net2net-same-nets/posttest.dat | 4 +- .../tests/ikev2/net2net-same-nets/pretest.dat | 7 + .../net2net-same-nets/test.conf | 6 +- .../tests/ikev2/net2net-start/description.txt | 9 +- .../ikev2/ocsp-local-cert/description.txt | 4 +- .../ikev2/protoport-trap/description.txt | 9 + .../tests/ikev2/protoport-trap/evaltest.dat | 9 + .../hosts/carol}/etc/strongswan.conf | 4 +- .../hosts/carol/etc/swanctl/swanctl.conf | 37 ++ .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/moon/etc/swanctl/swanctl.conf | 35 ++ .../protoport-trap}/posttest.dat | 4 +- .../tests/ikev2/protoport-trap/pretest.dat | 11 + .../protoport-trap}/test.conf | 4 + .../reauth-early/description.txt | 8 +- testing/tests/ikev2/reauth-early/evaltest.dat | 6 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/carol/etc/swanctl/swanctl.conf | 31 ++ .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++ .../reauth-early/posttest.dat | 4 +- .../reauth-early}/pretest.dat | 7 +- .../reauth-early}/test.conf | 4 + .../reauth-late/description.txt | 10 +- testing/tests/ikev2/reauth-late/evaltest.dat | 7 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/carol/etc/swanctl/swanctl.conf | 32 ++ .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++ .../reauth-late}/posttest.dat | 4 +- .../reauth-late/pretest.dat | 8 +- .../reauth-late}/test.conf | 4 + .../reauth-mbb-revoked/description.txt | 7 +- .../ikev2/reauth-mbb-revoked/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/swanctl/swanctl.conf | 32 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 ++ .../reauth-mbb-revoked/posttest.dat | 4 +- .../ikev2/reauth-mbb-revoked/pretest.dat | 5 + .../reauth-mbb-revoked}/test.conf | 4 + .../reauth-mbb-virtual-ip/description.txt | 0 .../ikev2/reauth-mbb-virtual-ip/evaltest.dat | 9 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 ++ .../reauth-mbb-virtual-ip}/posttest.dat | 4 +- .../reauth-mbb-virtual-ip}/pretest.dat | 7 +- .../ikev2/reauth-mbb-virtual-ip/test.conf | 25 ++ .../reauth-mbb/description.txt | 6 +- testing/tests/ikev2/reauth-mbb/evaltest.dat | 9 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/swanctl/swanctl.conf | 32 ++ .../reauth-mbb/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 ++ testing/tests/ikev2/reauth-mbb/posttest.dat | 4 + .../reauth-mbb/pretest.dat | 6 +- testing/tests/ikev2/reauth-mbb/test.conf | 25 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 8 - .../rw-eap-dynamic/description.txt | 0 .../tests/ikev2/rw-eap-dynamic/evaltest.dat | 19 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 ++ .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 ++ .../rw-eap-dynamic}/posttest.dat | 6 +- .../tests/ikev2/rw-eap-dynamic/pretest.dat | 12 + .../rw-eap-dynamic}/test.conf | 4 + .../rw-eap-framed-ip-radius/description.txt | 0 .../rw-eap-framed-ip-radius/evaltest.dat | 22 + .../etc/freeradius/3.0/mods-available/eap | 0 .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../freeradius/3.0/sites-available/default | 0 .../3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/alice/etc/freeradius/eap.conf | 0 .../hosts/alice/etc/freeradius/proxy.conf | 0 .../etc/freeradius/sites-available/default | 0 .../hosts/alice/etc/freeradius/users | 0 .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 ++ .../rw-eap-framed-ip-radius}/posttest.dat | 6 +- .../ikev2/rw-eap-framed-ip-radius/pretest.dat | 14 + .../rw-eap-framed-ip-radius/test.conf | 7 +- .../rw-eap-md5-class-radius/description.txt | 0 .../rw-eap-md5-class-radius/evaltest.dat | 22 + .../etc/freeradius/3.0/mods-available/eap | 0 .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../freeradius/3.0/sites-available/default | 0 .../3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/alice/etc/freeradius/eap.conf | 0 .../hosts/alice/etc/freeradius/proxy.conf | 0 .../etc/freeradius/sites-available/default | 0 .../hosts/alice/etc/freeradius/users | 0 .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 40 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 40 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 54 +++ .../rw-eap-md5-class-radius}/posttest.dat | 6 +- .../ikev2/rw-eap-md5-class-radius/pretest.dat | 17 + .../rw-eap-md5-class-radius/test.conf | 7 +- .../rw-eap-tls-fragments/description.txt | 3 +- .../ikev2/rw-eap-tls-fragments/evaltest.dat | 9 + .../hosts/carol/etc/strongswan.conf | 21 + .../carol/etc/swanctl/rsa}/carol_key.der | Bin .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++ .../carol/etc/swanctl/x509}/carol_D_cert.der | Bin .../carol/etc/swanctl/x509ca}/ca_A_cert.der | Bin .../hosts/moon/etc/strongswan.conf | 25 ++ .../hosts/moon/etc/swanctl/rsa}/ca_A_key.der | Bin .../hosts/moon/etc/swanctl/rsa}/ca_B_key.der | Bin .../hosts/moon/etc/swanctl/rsa}/ca_C_key.der | Bin .../hosts/moon/etc/swanctl/rsa}/ca_D_key.der | Bin .../hosts/moon/etc/swanctl/rsa}/moon_key.der | Bin .../hosts/moon/etc/swanctl/swanctl.conf | 25 ++ .../moon/etc/swanctl/x509}/moon_D_cert.der | Bin .../moon/etc/swanctl/x509ca}/ca_A_cert.der | Bin .../moon/etc/swanctl/x509ca}/ca_B_cert.der | Bin .../moon/etc/swanctl/x509ca}/ca_C_cert.der | Bin .../moon/etc/swanctl/x509ca}/ca_D_cert.der | Bin .../ikev2/rw-eap-tls-fragments/posttest.dat | 6 + .../ikev2/rw-eap-tls-fragments/pretest.dat | 9 + .../rw-eap-tls-fragments}/test.conf | 4 + .../ikev2/rw-mark-in-out/description.txt | 13 + .../tests/ikev2/rw-mark-in-out/evaltest.dat | 14 + .../hosts/alice/etc/strongswan.conf | 5 + .../hosts/alice/etc/swanctl/swanctl.conf | 28 ++ .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 52 +++ .../hosts/venus/etc/strongswan.conf | 5 + .../hosts/venus/etc/swanctl/swanctl.conf | 28 ++ .../rw-mark-in-out/posttest.dat | 9 +- .../tests/ikev2/rw-mark-in-out/pretest.dat | 20 + .../rw-mark-in-out}/test.conf | 4 + .../tests/ikev2/rw-ntru-psk/description.txt | 12 + testing/tests/ikev2/rw-ntru-psk/evaltest.dat | 14 + .../hosts/carol/etc/strongswan.conf | 10 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/dave/etc/strongswan.conf | 10 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 ++ .../hosts/moon/etc/strongswan.conf | 10 + .../hosts/moon/etc/swanctl/swanctl.conf | 43 ++ testing/tests/ikev2/rw-ntru-psk/posttest.dat | 6 + testing/tests/ikev2/rw-ntru-psk/pretest.dat | 14 + .../lookip => ikev2/rw-ntru-psk}/test.conf | 4 + .../tests/ikev2/rw-psk-no-idr/description.txt | 9 + .../tests/ikev2/rw-psk-no-idr/evaltest.dat | 12 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 36 ++ .../tests/ikev2/rw-psk-no-idr/posttest.dat | 6 + testing/tests/ikev2/rw-psk-no-idr/pretest.dat | 14 + .../rw-psk-no-idr}/test.conf | 4 + .../ikev2/rw-psk-rsa-mixed/description.txt | 10 + .../tests/ikev2/rw-psk-rsa-mixed/evaltest.dat | 14 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/dave}/etc/strongswan.conf | 10 +- .../hosts/dave/etc/swanctl/swanctl.conf | 26 ++ .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 55 +++ .../tests/ikev2/rw-psk-rsa-mixed/posttest.dat | 8 + .../tests/ikev2/rw-psk-rsa-mixed/pretest.dat | 13 + .../tests/ikev2/rw-psk-rsa-mixed/test.conf | 25 ++ .../ikev2/rw-psk-rsa-split/description.txt | 9 + .../tests/ikev2/rw-psk-rsa-split/evaltest.dat | 14 + .../hosts/carol}/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/dave}/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 38 ++ .../tests/ikev2/rw-psk-rsa-split/posttest.dat | 8 + .../tests/ikev2/rw-psk-rsa-split/pretest.dat | 13 + .../tests/ikev2/rw-psk-rsa-split/test.conf | 25 ++ .../tests/ikev2/rw-pubkey-keyid/posttest.dat | 2 - .../rw-radius-accounting/description.txt | 2 - .../ikev2/rw-radius-accounting/evaltest.dat | 14 + .../etc/freeradius/3.0/mods-available/eap | 0 .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../freeradius/3.0/sites-available/default | 0 .../3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/alice/etc/freeradius/eap.conf | 0 .../hosts/alice/etc/freeradius/proxy.conf | 0 .../etc/freeradius/sites-available/default | 0 .../hosts/alice/etc/freeradius/users | 0 .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../hosts/moon/etc/iptables.rules | 0 .../hosts/moon/etc/strongswan.conf | 17 + .../hosts/moon/etc/swanctl/swanctl.conf | 28 ++ .../rw-radius-accounting/posttest.dat | 6 +- .../rw-radius-accounting/pretest.dat | 7 +- .../rw-radius-accounting/test.conf | 8 +- .../rw-sig-auth/description.txt | 8 +- testing/tests/ikev2/rw-sig-auth/evaltest.dat | 16 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 33 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 33 ++ .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 48 ++ testing/tests/ikev2/rw-sig-auth/posttest.dat | 6 + testing/tests/ikev2/rw-sig-auth/pretest.dat | 14 + testing/tests/ikev2/rw-sig-auth/test.conf | 25 ++ .../tests/ikev2/rw-whitelist/description.txt | 8 + testing/tests/ikev2/rw-whitelist/evaltest.dat | 14 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++ .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 ++ .../hosts/moon/etc/strongswan.conf | 15 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 ++ testing/tests/ikev2/rw-whitelist/posttest.dat | 6 + .../rw-whitelist/pretest.dat | 13 +- testing/tests/ikev2/rw-whitelist/test.conf | 25 ++ .../trap-any/description.txt | 9 +- testing/tests/ikev2/trap-any/evaltest.dat | 29 ++ .../trap-any/hosts/carol/etc/strongswan.conf | 14 + .../hosts/carol/etc/swanctl/swanctl.conf | 24 + .../trap-any/hosts/dave/etc/strongswan.conf | 14 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 ++ .../trap-any/hosts/moon/etc/strongswan.conf | 14 + .../hosts/moon/etc/swanctl/swanctl.conf | 39 ++ .../trap-any/hosts/sun/etc/strongswan.conf | 14 + .../hosts/sun/etc/swanctl/swanctl.conf | 39 ++ testing/tests/ikev2/trap-any/posttest.dat | 4 + testing/tests/ikev2/trap-any/pretest.dat | 5 + .../trap-any/test.conf | 4 + .../wildcards/description.txt | 0 testing/tests/ikev2/wildcards/evaltest.dat | 8 + .../wildcards/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++ .../wildcards/hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 ++ .../wildcards/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 45 ++ testing/tests/ikev2/wildcards/posttest.dat | 3 + testing/tests/ikev2/wildcards/pretest.dat | 11 + testing/tests/ikev2/wildcards/test.conf | 25 ++ 931 files changed, 5935 insertions(+), 5926 deletions(-) delete mode 100644 testing/tests/ikev2-stroke-bye/.gitignore delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/any-interface/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/farp/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/farp/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/forecast/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/lookip/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf delete mode 100755 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf delete mode 100755 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/trap-any/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/posttest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/pretest.dat delete mode 100644 testing/tests/ikev2-stroke-bye/wildcards/test.conf rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/description.txt (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/evaltest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/hosts/carol/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/compress-nat => ikev2-stroke/ip-pool-wish}/hosts/carol/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/hosts/dave/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/compress-nat/hosts/alice => ikev2-stroke/ip-pool-wish/hosts/dave}/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/hosts/moon/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/compress-nat/hosts/bob => ikev2-stroke/ip-pool-wish/hosts/moon}/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/posttest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/ip-pool-wish/pretest.dat (100%) rename testing/tests/{ikev2-stroke-bye/farp => ikev2-stroke/ip-pool-wish}/test.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/description.txt (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/evaltest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/moon/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/hosts/sun/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v3/posttest.dat (100%) rename testing/tests/{ikev2-stroke-bye/net2net-dnscert => ikev2-stroke/net2net-pgp-v3}/pretest.dat (100%) rename testing/tests/{ikev2-stroke-bye/net2net-cert-sha2 => ikev2-stroke/net2net-pgp-v3}/test.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/description.txt (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/evaltest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/moon/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/hosts/sun/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/net2net-pgp-v4/posttest.dat (100%) rename testing/tests/{ikev2-stroke-bye/net2net-pgp-v3 => ikev2-stroke/net2net-pgp-v4}/pretest.dat (100%) rename testing/tests/{ikev2-stroke-bye/net2net-dnscert => ikev2-stroke/net2net-pgp-v4}/test.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/description.txt (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/evaltest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-aka-sql-rsa => ikev2-stroke/rw-eap-md5-id-prompt}/hosts/carol/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-framed-ip-radius => ikev2-stroke/rw-eap-md5-id-prompt}/hosts/carol/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave => ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon}/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye/protoport-route => ikev2-stroke/rw-eap-md5-id-prompt}/posttest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/rw-eap-md5-id-prompt/pretest.dat (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-aka-sql-rsa => ikev2-stroke/rw-eap-md5-id-prompt}/test.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/description.txt (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/evaltest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/hosts/carol/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/dpd-hold => ikev2-stroke/virtual-ip-override}/hosts/carol/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/hosts/dave/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/force-udp-encaps/hosts/alice => ikev2-stroke/virtual-ip-override/hosts/dave}/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/hosts/moon/etc/ipsec.conf (100%) rename testing/tests/{ikev2-stroke-bye/force-udp-encaps/hosts/sun => ikev2-stroke/virtual-ip-override/hosts/moon}/etc/strongswan.conf (100%) rename testing/tests/{ikev2-stroke-bye/farp => ikev2-stroke/virtual-ip-override}/posttest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/pretest.dat (100%) rename testing/tests/{ikev2-stroke-bye => ikev2-stroke}/virtual-ip-override/test.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/compress-nat/description.txt (100%) create mode 100644 testing/tests/ikev2/compress-nat/evaltest.dat rename testing/tests/{ikev2-stroke-bye/ip-pool-wish/hosts/dave => ikev2/compress-nat/hosts/alice}/etc/strongswan.conf (66%) create mode 100755 testing/tests/ikev2/compress-nat/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf create mode 100755 testing/tests/ikev2/compress-nat/hosts/bob/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/compress-nat/hosts/carol/etc/iptables.rules (100%) create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/compress-nat/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/compress-nat/posttest.dat (56%) rename testing/tests/{ikev2-stroke-bye => ikev2}/compress-nat/pretest.dat (83%) rename testing/tests/{ikev2-stroke-bye => ikev2}/compress-nat/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/crl-from-cache/description.txt (58%) create mode 100644 testing/tests/ikev2/crl-from-cache/evaltest.dat create mode 100644 testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/crl-from-cache/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/crl-from-cache/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/crl-from-cache/posttest.dat create mode 100644 testing/tests/ikev2/crl-from-cache/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/crl-from-cache/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-client-id/description.txt (85%) create mode 100644 testing/tests/ikev2/dhcp-static-client-id/evaltest.dat create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-client-id/hosts/moon/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-client-id/hosts/moon/etc/strongswan.conf (54%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf (100%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-mac => ikev2/dhcp-static-client-id}/posttest.dat (57%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-mac => ikev2/dhcp-static-client-id}/pretest.dat (59%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-mac => ikev2/dhcp-static-client-id}/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-mac/description.txt (76%) create mode 100644 testing/tests/ikev2/dhcp-static-mac/evaltest.dat create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-mac/hosts/moon/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-mac/hosts/moon/etc/strongswan.conf (54%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf (100%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-client-id => ikev2/dhcp-static-mac}/posttest.dat (57%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-client-id => ikev2/dhcp-static-mac}/pretest.dat (59%) rename testing/tests/{ikev2-stroke-bye/dhcp-static-client-id => ikev2/dhcp-static-mac}/test.conf (91%) create mode 100644 testing/tests/ikev2/dpd-trap/description.txt create mode 100644 testing/tests/ikev2/dpd-trap/evaltest.dat rename testing/tests/{ikev2-stroke-bye/wildcards/hosts/dave => ikev2/dpd-trap/hosts/carol}/etc/strongswan.conf (68%) create mode 100755 testing/tests/ikev2/dpd-trap/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/wildcards => ikev2/dpd-trap}/hosts/moon/etc/strongswan.conf (68%) create mode 100755 testing/tests/ikev2/dpd-trap/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/dpd-trap/posttest.dat create mode 100644 testing/tests/ikev2/dpd-trap/pretest.dat rename testing/tests/{ikev2-stroke-bye/inactivity-timeout => ikev2/dpd-trap}/test.conf (87%) create mode 100755 testing/tests/ikev2/farp/description.txt create mode 100755 testing/tests/ikev2/farp/evaltest.dat create mode 100755 testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/farp/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/farp/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl_base.conf create mode 100755 testing/tests/ikev2/farp/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/farp/pretest.dat (54%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye/rw-psk-no-idr => ikev2/farp}/test.conf (91%) mode change 100644 => 100755 create mode 100644 testing/tests/ikev2/force-udp-encap/description.txt create mode 100644 testing/tests/ikev2/force-udp-encap/evaltest.dat create mode 100644 testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/force-udp-encap/hosts/alice/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/force-udp-encaps => ikev2/force-udp-encap}/hosts/sun/etc/iptables.rules (100%) create mode 100644 testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/force-udp-encap/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/force-udp-encaps => ikev2/force-udp-encap}/posttest.dat (74%) rename testing/tests/{ikev2-stroke-bye/force-udp-encaps => ikev2/force-udp-encap}/pretest.dat (69%) rename testing/tests/{ikev2-stroke-bye/force-udp-encaps => ikev2/force-udp-encap}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/forecast/description.txt (100%) create mode 100644 testing/tests/ikev2/forecast/evaltest.dat rename testing/tests/{ikev2-stroke-bye/crl-from-cache => ikev2/forecast}/hosts/carol/etc/strongswan.conf (62%) create mode 100755 testing/tests/ikev2/forecast/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/host2host-transport-connmark/hosts/sun => ikev2/forecast/hosts/dave}/etc/strongswan.conf (64%) create mode 100755 testing/tests/ikev2/forecast/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/forecast/hosts/moon/etc/strongswan.conf (76%) create mode 100755 testing/tests/ikev2/forecast/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-dynamic => ikev2/forecast}/posttest.dat (58%) create mode 100644 testing/tests/ikev2/forecast/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/forecast/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/host2host-transport-connmark/description.txt (100%) create mode 100644 testing/tests/ikev2/host2host-transport-connmark/evaltest.dat create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/ip-pool-wish/hosts/moon => ikev2/host2host-transport-connmark/hosts/sun}/etc/strongswan.conf (66%) create mode 100755 testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/host2host-transport-connmark/pretest.dat (65%) rename testing/tests/{ikev2-stroke-bye => ikev2}/host2host-transport-connmark/test.conf (91%) delete mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/inactivity-timeout/description.txt (100%) create mode 100644 testing/tests/ikev2/inactivity-timeout/evaltest.dat rename testing/tests/{ikev2-stroke-bye/dpd-hold/hosts/moon => ikev2/inactivity-timeout/hosts/carol}/etc/strongswan.conf (68%) create mode 100755 testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/inactivity-timeout/posttest.dat create mode 100644 testing/tests/ikev2/inactivity-timeout/pretest.dat rename testing/tests/{ikev2-stroke-bye/dpd-hold => ikev2/inactivity-timeout}/test.conf (79%) rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-split-pools-db/description.txt (85%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/ip-split-pools-db/evaltest.dat create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-split-pools-db/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-split-pools-db/pretest.dat (69%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-split-pools-db/test.conf (89%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/description.txt create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-mixed/hosts/moon/etc/iptables.rules (100%) create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-mixed/pretest.dat (62%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-mixed/test.conf (74%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-v4v6-db/description.txt (55%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-v4v6-db/pretest.dat (55%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye => ikev2}/ip-two-pools-v4v6-db/test.conf (80%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/description.txt create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-v4v6/test.conf create mode 100644 testing/tests/ikev2/lookip/description.txt create mode 100644 testing/tests/ikev2/lookip/evaltest.dat create mode 100644 testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/lookip/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/lookip/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/lookip/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/lookip/posttest.dat (58%) rename testing/tests/{ikev2-stroke-bye/rw-psk-rsa-split => ikev2/lookip}/pretest.dat (55%) rename testing/tests/{ikev2-stroke-bye/rw-whitelist => ikev2/lookip}/test.conf (91%) create mode 100644 testing/tests/ikev2/nat-rw-mark/description.txt create mode 100644 testing/tests/ikev2/nat-rw-mark/evaltest.dat create mode 100644 testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/nat-rw-mark/hosts/sun/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/nat-rw-mark/hosts/sun/etc/strongswan.conf (72%) create mode 100755 testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/nat-rw-mark/posttest.dat (65%) rename testing/tests/{ikev2-stroke-bye => ikev2}/nat-rw-mark/pretest.dat (66%) rename testing/tests/{ikev2-stroke-bye/rw-mark-in-out => ikev2/nat-rw-mark}/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-cert-sha2/description.txt (84%) create mode 100644 testing/tests/ikev2/net2net-cert-sha2/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/net2net-rekey => ikev2/net2net-cert-sha2}/posttest.dat (58%) create mode 100644 testing/tests/ikev2/net2net-cert-sha2/pretest.dat rename testing/tests/{ikev2-stroke-bye/net2net-pgp-v3 => ikev2/net2net-cert-sha2}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/description.txt (70%) create mode 100644 testing/tests/ikev2/net2net-dnscert/evaltest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/moon/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/moon/etc/resolv.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/moon/etc/strongswan.conf (56%) rename testing/tests/{ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d => ikev2/net2net-dnscert/hosts/moon/etc/swanctl}/dnssec.keys (100%) create mode 100755 testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/sun/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/sun/etc/resolv.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/hosts/sun/etc/strongswan.conf (56%) rename testing/tests/{ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d => ikev2/net2net-dnscert/hosts/sun/etc/swanctl}/dnssec.keys (100%) create mode 100755 testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-dnscert/posttest.dat (51%) create mode 100644 testing/tests/ikev2/net2net-dnscert/pretest.dat rename testing/tests/{ikev2-stroke-bye/net2net-pgp-v4 => ikev2/net2net-dnscert}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-ntru-bandwidth/description.txt (76%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat rename testing/tests/{ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun => ikev2/net2net-ntru-bandwidth/hosts/moon}/etc/strongswan.conf (63%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon => ikev2/net2net-ntru-bandwidth/hosts/sun}/etc/strongswan.conf (63%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-ntru-bandwidth/posttest.dat (58%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-ntru-bandwidth/test.conf (90%) mode change 100644 => 100755 rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-psk-dscp/description.txt (88%) create mode 100644 testing/tests/ikev2/net2net-psk-dscp/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/net2net-psk-dscp/hosts/moon => ikev2/net2net-psk-dscp/hosts/sun}/etc/strongswan.conf (59%) create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-psk-dscp/posttest.dat (75%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-psk-dscp/pretest.dat (75%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-psk-dscp/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-rekey/description.txt (73%) create mode 100644 testing/tests/ikev2/net2net-rekey/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-rekey/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-rekey/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/net2net-cert-sha2 => ikev2/net2net-rekey}/posttest.dat (58%) create mode 100644 testing/tests/ikev2/net2net-rekey/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-rekey/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-same-nets/description.txt (61%) create mode 100644 testing/tests/ikev2/net2net-same-nets/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-same-nets/hosts/sun/etc/mark_updown (92%) create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-same-nets/posttest.dat (72%) create mode 100644 testing/tests/ikev2/net2net-same-nets/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/net2net-same-nets/test.conf (90%) create mode 100644 testing/tests/ikev2/protoport-trap/description.txt create mode 100644 testing/tests/ikev2/protoport-trap/evaltest.dat rename testing/tests/{ikev2-stroke-bye/inactivity-timeout/hosts/moon => ikev2/protoport-trap/hosts/carol}/etc/strongswan.conf (59%) create mode 100755 testing/tests/ikev2/protoport-trap/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/protoport-trap/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/reauth-late => ikev2/protoport-trap}/posttest.dat (58%) create mode 100644 testing/tests/ikev2/protoport-trap/pretest.dat rename testing/tests/{ikev2-stroke-bye/reauth-mbb-revoked => ikev2/protoport-trap}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-early/description.txt (61%) create mode 100644 testing/tests/ikev2/reauth-early/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-early/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-early/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-early/posttest.dat (58%) rename testing/tests/{ikev2-stroke-bye/reauth-mbb-virtual-ip => ikev2/reauth-early}/pretest.dat (54%) rename testing/tests/{ikev2-stroke-bye/reauth-late => ikev2/reauth-early}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-late/description.txt (55%) create mode 100644 testing/tests/ikev2/reauth-late/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-late/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-late/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/reauth-mbb-virtual-ip => ikev2/reauth-late}/posttest.dat (58%) rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-late/pretest.dat (54%) rename testing/tests/{ikev2-stroke-bye/protoport-route => ikev2/reauth-late}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-mbb-revoked/description.txt (74%) create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-mbb-revoked/posttest.dat (50%) create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/pretest.dat rename testing/tests/{ikev2-stroke-bye/reauth-early => ikev2/reauth-mbb-revoked}/test.conf (90%) rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-mbb-virtual-ip/description.txt (100%) create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/reauth-mbb => ikev2/reauth-mbb-virtual-ip}/posttest.dat (58%) rename testing/tests/{ikev2-stroke-bye/reauth-early => ikev2/reauth-mbb-virtual-ip}/pretest.dat (55%) create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-mbb/description.txt (64%) create mode 100644 testing/tests/ikev2/reauth-mbb/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/reauth-mbb/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-mbb/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/reauth-mbb/pretest.dat (55%) create mode 100644 testing/tests/ikev2/reauth-mbb/test.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-dynamic/description.txt (100%) create mode 100644 testing/tests/ikev2/rw-eap-dynamic/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/forecast => ikev2/rw-eap-dynamic}/posttest.dat (58%) create mode 100644 testing/tests/ikev2/rw-eap-dynamic/pretest.dat rename testing/tests/{ikev2-stroke-bye/rw-psk-rsa-mixed => ikev2/rw-eap-dynamic}/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/description.txt (100%) create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users (100%) create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf (52%) create mode 100755 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-md5-class-radius => ikev2/rw-eap-framed-ip-radius}/posttest.dat (62%) create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-framed-ip-radius/test.conf (80%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/description.txt (100%) create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users (100%) create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf (55%) create mode 100755 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-framed-ip-radius => ikev2/rw-eap-md5-class-radius}/posttest.dat (62%) create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-md5-class-radius/test.conf (80%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-eap-tls-fragments/description.txt (59%) create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/rsa}/carol_key.der (100%) create mode 100755 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs => ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509}/carol_D_cert.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts => ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509ca}/ca_A_cert.der (100%) create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa}/ca_A_key.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa}/ca_B_key.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa}/ca_C_key.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa}/ca_D_key.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa}/moon_key.der (100%) create mode 100755 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509}/moon_D_cert.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca}/ca_A_cert.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca}/ca_B_cert.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca}/ca_C_cert.der (100%) rename testing/tests/{ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts => ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca}/ca_D_cert.der (100%) create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat rename testing/tests/{ikev2-stroke-bye/rw-eap-md5-id-prompt => ikev2/rw-eap-tls-fragments}/test.conf (90%) create mode 100644 testing/tests/ikev2/rw-mark-in-out/description.txt create mode 100644 testing/tests/ikev2/rw-mark-in-out/evaltest.dat create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-mark-in-out/hosts/sun/etc/strongswan.conf (72%) create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-mark-in-out/posttest.dat (60%) create mode 100644 testing/tests/ikev2/rw-mark-in-out/pretest.dat rename testing/tests/{ikev2-stroke-bye/nat-rw-mark => ikev2/rw-mark-in-out}/test.conf (91%) create mode 100755 testing/tests/ikev2/rw-ntru-psk/description.txt create mode 100755 testing/tests/ikev2/rw-ntru-psk/evaltest.dat create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-ntru-psk/posttest.dat create mode 100755 testing/tests/ikev2/rw-ntru-psk/pretest.dat rename testing/tests/{ikev2-stroke-bye/lookip => ikev2/rw-ntru-psk}/test.conf (91%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-no-idr/description.txt create mode 100755 testing/tests/ikev2/rw-psk-no-idr/evaltest.dat create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-no-idr/posttest.dat create mode 100755 testing/tests/ikev2/rw-psk-no-idr/pretest.dat rename testing/tests/{ikev2-stroke-bye/rw-psk-rsa-split => ikev2/rw-psk-no-idr}/test.conf (91%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/description.txt create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/crl-from-cache/hosts/moon => ikev2/rw-psk-rsa-mixed/hosts/dave}/etc/strongswan.conf (51%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/any-interface => ikev2/rw-psk-rsa-mixed}/hosts/moon/etc/strongswan.conf (50%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat create mode 100755 testing/tests/ikev2/rw-psk-rsa-mixed/test.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/description.txt create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat rename testing/tests/{ikev2-stroke-bye/any-interface/hosts/bob => ikev2/rw-psk-rsa-split/hosts/carol}/etc/strongswan.conf (50%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye/any-interface/hosts/sun => ikev2/rw-psk-rsa-split/hosts/dave}/etc/strongswan.conf (50%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/posttest.dat create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/pretest.dat create mode 100755 testing/tests/ikev2/rw-psk-rsa-split/test.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/description.txt (82%) create mode 100644 testing/tests/ikev2/rw-radius-accounting/evaltest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default (100%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/alice/etc/freeradius/users (100%) create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/hosts/moon/etc/iptables.rules (100%) create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/swanctl/swanctl.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/posttest.dat (72%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/pretest.dat (58%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-radius-accounting/test.conf (82%) rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-sig-auth/description.txt (66%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-sig-auth/evaltest.dat create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-sig-auth/posttest.dat create mode 100755 testing/tests/ikev2/rw-sig-auth/pretest.dat create mode 100755 testing/tests/ikev2/rw-sig-auth/test.conf create mode 100755 testing/tests/ikev2/rw-whitelist/description.txt create mode 100755 testing/tests/ikev2/rw-whitelist/evaltest.dat create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-whitelist/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/rw-whitelist/posttest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/rw-whitelist/pretest.dat (67%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/rw-whitelist/test.conf rename testing/tests/{ikev2-stroke-bye => ikev2}/trap-any/description.txt (53%) create mode 100644 testing/tests/ikev2/trap-any/evaltest.dat create mode 100644 testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/trap-any/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/trap-any/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/trap-any/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/trap-any/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/trap-any/posttest.dat create mode 100644 testing/tests/ikev2/trap-any/pretest.dat rename testing/tests/{ikev2-stroke-bye => ikev2}/trap-any/test.conf (91%) rename testing/tests/{ikev2-stroke-bye => ikev2}/wildcards/description.txt (100%) mode change 100644 => 100755 create mode 100755 testing/tests/ikev2/wildcards/evaltest.dat create mode 100755 testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/wildcards/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/wildcards/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/wildcards/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/ikev2/wildcards/posttest.dat create mode 100755 testing/tests/ikev2/wildcards/pretest.dat create mode 100755 testing/tests/ikev2/wildcards/test.conf diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat index ce6cebf3b..08abb4a2b 100644 --- a/testing/tests/ikev1/nat-rw/evaltest.dat +++ b/testing/tests/ikev1/nat-rw/evaltest.dat @@ -6,7 +6,7 @@ bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES -sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES diff --git a/testing/tests/ikev2-stroke-bye/.gitignore b/testing/tests/ikev2-stroke-bye/.gitignore deleted file mode 100644 index f8443fea4..000000000 --- a/testing/tests/ikev2-stroke-bye/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -*.crl -*.der -*.p12 -*.pem diff --git a/testing/tests/ikev2-stroke-bye/any-interface/description.txt b/testing/tests/ikev2-stroke-bye/any-interface/description.txt deleted file mode 100644 index 5ce8bec34..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -By setting left=%any this scenario tests the ability of the IKEv2 daemon -to automatically determine its own IP address of an IPsec SA to be established. -This is achieved by finding a route via the correct network interface to the remote IPsec peer. -

-The hosts moon and bob act as initiators by setting auto=route -whereas the hosts alice and sun act as responders by setting auto=add. -Pings from moon to alice and sun as well as a ping from bob -to sun set up three compressed IPsec Transport Mode connections. diff --git a/testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat b/testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat deleted file mode 100644 index 800ae4353..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/evaltest.dat +++ /dev/null @@ -1,21 +0,0 @@ -moon:: cat /var/log/daemon.log::creating acquire job::YES -bob:: cat /var/log/daemon.log::creating acquire job::YES -moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*CN=moon.strongswan.org.*CN=alice@strongswan.org::YES -moon:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=moon.strongswan.org.*CN=sun.strongswan.org::YES -alice::ipsec status 2> /dev/null::remote.*ESTABLISHED.*CN=alice@strongswan.org.*CN=moon.strongswan.org::YES -sun:: ipsec status 2> /dev/null::remote\[1]: ESTABLISHED.*CN=sun.strongswan.org.*CN=moon.strongswan.org::YES -sun:: ipsec status 2> /dev/null::remote\[2]: ESTABLISHED.*CN=sun.strongswan.org.*CN=bob@strongswan.org::YES -bob:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=bob@strongswan.org.*CN=sun.strongswan.org::YES -moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TRANSPORT::YES -moon:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES -alice::ipsec status 2> /dev/null::remote.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::remote[{]1}.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::remote[{]2}.*INSTALLED, TRANSPORT::YES -bob:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -bob::tcpdump::IP bob.strongswan.org > sun1.strongswan.org: ESP::YES -bob::tcpdump::IP sun1.strongswan.org > bob.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 4f2c78fd3..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - type=transport - compress=yes - dpdaction=clear - dpddelay=10 - left=%any - leftcert=aliceCert.pem - -conn remote - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf deleted file mode 100644 index d4085e6a4..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default - multiple_authentication = no -} diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf deleted file mode 100644 index 25b05f7f0..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - type=transport - compress=yes - dpdaction=hold - dpddelay=10 - left=%any - leftcert=bobCert.pem - -conn sun - right=PH_IP_SUN1 - rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" - auto=route diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c44c6bb39..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - type=transport - compress=yes - dpdaction=hold - dpddelay=10 - left=%any - leftcert=moonCert.pem - -conn alice - right=PH_IP_ALICE - rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org" - auto=route - -conn sun - right=PH_IP_SUN - rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" - auto=route diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf deleted file mode 100644 index fce24ef25..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - type=transport - compress=yes - dpdaction=clear - dpddelay=10 - left=%any - leftcert=sunCert.pem - -conn remote - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/any-interface/posttest.dat b/testing/tests/ikev2-stroke-bye/any-interface/posttest.dat deleted file mode 100644 index 8e26c78de..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -alice::ipsec stop -moon::ipsec stop -sun::ipsec stop -bob::ipsec stop -winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON -winnetou::ip route del 10.2.0.0/16 via PH_IP_SUN diff --git a/testing/tests/ikev2-stroke-bye/any-interface/pretest.dat b/testing/tests/ikev2-stroke-bye/any-interface/pretest.dat deleted file mode 100644 index 2fb313aba..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON -winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN -alice::ipsec start -moon::ipsec start -sun::ipsec start -bob::ipsec start -alice::expect-connection remote -sun::expect-connection remote -moon::expect-connection alice -moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE -moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN -bob::expect-connection sun -bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1 diff --git a/testing/tests/ikev2-stroke-bye/any-interface/test.conf b/testing/tests/ikev2-stroke-bye/any-interface/test.conf deleted file mode 100644 index cc04d45e6..000000000 --- a/testing/tests/ikev2-stroke-bye/any-interface/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice sun bob" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice moon sun bob" diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat deleted file mode 100644 index 63bfe19ba..000000000 --- a/testing/tests/ikev2-stroke-bye/compress-nat/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -alice::ipsec status 2> /dev/null::hub.*ESTABLISHED.*alice@strongswan.org.*carol@strongswan.org::YES -bob:: ipsec status 2> /dev/null::hub.*ESTABLISHED.*bob@strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_MOON.*alice@strongswan.org::YES -carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_SUN.*bob@strongswan.org::YES -alice::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES -bob:: ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES -carol::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES -carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES -carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES -alice::ip xfrm state::proto comp spi::YES -bob:: ip xfrm state::proto comp spi::YES -carol::ip xfrm state::proto comp spi::YES -alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_.eq=1::YES -alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES -alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_.eq=1::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -bob:: ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_.eq=1::YES -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES -moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES -sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES -sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 7ecc68f03..000000000 --- a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=restart - dpddelay=60s - leftfirewall=yes - lefthostaccess=yes - -conn hub - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftsubnet=10.1.0.0/16 - right=PH_IP_CAROL - rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL/32,10.2.0.0/16 - compress=yes - auto=add diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf deleted file mode 100644 index 6ef2c06f4..000000000 --- a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=restart - dpddelay=60s - leftfirewall=yes - lefthostaccess=yes - -conn hub - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftsubnet=10.2.0.0/16 - right=PH_IP_CAROL - rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL/32,10.1.0.0/16 - compress=yes - auto=add diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 23d179b7a..000000000 --- a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=clear - dpddelay=60s - -conn hub - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=%any - leftsubnet=0.0.0.0/0 - rightsubnet=0.0.0.0/0 - compress=yes - auto=add diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat deleted file mode 100644 index 2d649bbee..000000000 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: cat /var/log/daemon.log::loaded crl from::YES -moon:: cat /var/log/daemon.log::crl is valid::YES -moon:: cat /var/log/daemon.log::certificate status is good::YES -moon:: cat /var/log/daemon.log::using cached crl::YES -moon:: ipsec listcrls 2> /dev/null:: ok::YES -carol::cat /var/log/daemon.log::loaded crl from::YES -carol::cat /var/log/daemon.log::crl is valid::YES -carol::cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::using cached crl::YES -carol::ipsec listcrls 2> /dev/null:: ok::YES diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 17a58545c..000000000 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - cachecrls=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf deleted file mode 100644 index d2137d969..000000000 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat deleted file mode 100644 index be17847c1..000000000 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat b/testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat deleted file mode 100644 index c073160fe..000000000 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::wget -q http://crl.strongswan.org/strongswan.crl -moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl -carol::wget -q http://crl.strongswan.org/strongswan.crl -carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat deleted file mode 100644 index 4492bb29f..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0fbefa3fc..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 729db4526..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a774f2a76..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn rw - right=%any - rightsourceip=%dhcp - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat deleted file mode 100644 index 4492bb29f..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0fbefa3fc..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 729db4526..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a774f2a76..000000000 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn rw - right=%any - rightsourceip=%dhcp - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/description.txt b/testing/tests/ikev2-stroke-bye/dpd-hold/description.txt deleted file mode 100644 index 405e67cb9..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarrior carol sets up an IPsec tunnel connection to the gateway -moon. Both end points activate Dead Peer Detection (DPD) with a -polling interval of 10 s. When the network connectivity between carol -and moon is forcefully disrupted for a duration of 100 s, moon -clears the connection after 4 unsuccessful retransmits whereas carol -also takes down the connection but installs a route which triggers when -carol sends a ping to client alice behind gateway moon. diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat deleted file mode 100644 index 9ce76f976..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 13::no output expected::NO -carol::cat /var/log/daemon.log::sending DPD request::YES -carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after.*retransmits::YES -carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO -carol::sleep 1::no output expected::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf deleted file mode 100644 index aa1a05169..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=hold - dpddelay=10 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 75b377f5f..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - dpdaction=clear - dpddelay=10 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat b/testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat deleted file mode 100644 index d7f7959f1..000000000 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/farp/description.txt b/testing/tests/ikev2-stroke-bye/farp/description.txt deleted file mode 100644 index 04e1c10e5..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config -parameter. The virtual addresses assigned to the clients by gateway moon belong to the -subnet 10.1.0.0/16 hidden behind the gateway so that carol and dave become full members of -this network. And this thanks to the farp plugin through which moon acts as a proxy -for ARP requests e.g. from alice who wants to ping carol and dave. diff --git a/testing/tests/ikev2-stroke-bye/farp/evaltest.dat b/testing/tests/ikev2-stroke-bye/farp/evaltest.dat deleted file mode 100644 index bffd142a3..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0fbefa3fc..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 729db4526..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 25ec162fe..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn rw-carol - right=%any - rightid=carol@strongswan.org - rightsourceip=10.1.0.30 - auto=add - -conn rw-dave - right=%any - rightid=dave@strongswan.org - rightsourceip=10.1.0.40 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf deleted file mode 100644 index e34ca9da7..000000000 --- a/testing/tests/ikev2-stroke-bye/farp/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS -} diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt b/testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt deleted file mode 100644 index a079363cf..000000000 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to -gateway sun. Since the firewall on sun blocks the ESP protocol, enforced UDP -encapsulation (forceencaps=yes) is used by alice to punch through this hurdle. -leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, host alice pings the -client bob behind the gateway sun. diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat b/testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat deleted file mode 100644 index f34225e3a..000000000 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES -alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES -alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > alice.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 3e10155a3..000000000 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - forceencaps=yes - auto=add diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 36c6222e7..000000000 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - -conn nat-t - leftsubnet=10.2.0.0/16 - right=%any - rightsubnet=10.1.0.10/32 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/forecast/evaltest.dat b/testing/tests/ikev2-stroke-bye/forecast/evaltest.dat deleted file mode 100644 index 6babe57f0..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES -alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null -carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null -dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null -carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null -dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null -moon::iptables -t mangle -L -n -v -carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES -dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES -carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES -dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES -carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES -dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4cd628384..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftsubnet=0.0.0.0/0 - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=0.0.0.0/0 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0fbefa3fc..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf deleted file mode 100644 index e2255d96b..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftsubnet=0.0.0.0/0 - leftcert=daveCert.pem - leftid=dave@strongswan.org - right=PH_IP_MOON - rightsubnet=0.0.0.0/0 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 729db4526..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve -} diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fde2e9103..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16,224.0.0.0/4 - right=%any - rightid=*@strongswan.org - rightsourceip=10.1.0.128/26 - rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255 - mark=%unique - auto=add diff --git a/testing/tests/ikev2-stroke-bye/forecast/pretest.dat b/testing/tests/ikev2-stroke-bye/forecast/pretest.dat deleted file mode 100644 index 9065f8390..000000000 --- a/testing/tests/ikev2-stroke-bye/forecast/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat deleted file mode 100644 index 867ad96d2..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES -alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES -venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES -sun::iptables -t mangle -L -n -v -sun::conntrack -L diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 9000ebcfe..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn nat-t - leftcert=aliceCert.pem - leftid=alice@strongswan.org - right=192.168.0.2 - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 373830110..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke -} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 220059c43..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - left=192.168.0.2 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - -conn nat-t - right=%any - type=transport - mark=%unique - auto=add diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf deleted file mode 100644 index cea239abe..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn nat-t - leftcert=venusCert.pem - leftid=venus@strongswan.org - right=192.168.0.2 - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 373830110..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke -} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat deleted file mode 100644 index 144be6c90..000000000 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::ipsec stop -venus::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat deleted file mode 100644 index 102a147b3..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::sleep 11::NO -carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO -carol::ipsec status 2> /dev/null::home.*INSTALLED::NO -carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a7a53a4b7..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - inactivity=10 - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf deleted file mode 100644 index efc5b6cbd..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat deleted file mode 100644 index 6ca9c5b35..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat b/testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat deleted file mode 100644 index 8e4ceba92..000000000 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf b/testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf deleted file mode 100644 index 164b07ff9..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-pool-wish/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat deleted file mode 100644 index 60a537b02..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES -moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES -moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES -moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES -moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES -moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES -moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES -moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 136022d5c..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=%pool0,%pool1 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf deleted file mode 100644 index c22405914..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown - - plugins { - attr-sql { - database = sqlite:///etc/db.d/ipsec.db - } - } -} - -pool { - load = sqlite -} diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat deleted file mode 100644 index 6066d464a..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -moon::ipsec pool --del pool0 2> /dev/null -moon::ipsec pool --del pool1 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt deleted file mode 100644 index d771d006d..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The hosts alice and carol set up a tunnel connection each to gateway moon. -Both hosts request a virtual IP via the IKEv2 configuration payload by using the -leftsourceip=%config parameter. Gateway moon assigns virtual IP -addresses from a simple pool defined by rightsourceip=10.3.0.0/28 to hosts connecting -to the eth0 (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool -named intpool [10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. -

-Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and -both ping the gateway moon. diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat deleted file mode 100644 index f632207fa..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/evaltest.dat +++ /dev/null @@ -1,21 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES -moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES -moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES -moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES -moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES -moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES -moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 180226eaa..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%defaultroute - leftsourceip=%config - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_MOON1 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 63509bc16..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 649d567c4..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - -conn int - left=PH_IP_MOON1 - rightsourceip=%intpool - auto=add - -conn ext - left=PH_IP_MOON - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 1664d55aa..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown - - plugins { - attr-sql { - database = sqlite:///etc/db.d/ipsec.db - } - } -} - -pool { - load = sqlite -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat deleted file mode 100644 index 0c3cd2648..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ipsec stop -alice::ipsec stop -moon::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -alice::iptables-restore < /etc/iptables.flush -moon::ipsec pool --del intpool 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat deleted file mode 100644 index dcf573b59..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES -carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d19399def..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config4,%config6 - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0,::/0 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 48e8fc6ff..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 04a74fd44..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16,fec1::0/16 - rightsourceip=%v4_pool,%v6_pool - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf deleted file mode 100644 index db9ab464b..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql - - plugins { - attr-sql { - database = sqlite:///etc/db.d/ipsec.db - } - } -} - -pool { - load = sqlite -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat deleted file mode 100644 index e46195cd3..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -alice::ip -6 route del default via fec1:\:1 -carol::ipsec stop -moon::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt deleted file mode 100644 index 32dd88d51..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The host carol sets up a tunnel connection to gateway moon. It requests -both an IPv4 and an IPv6 virtual IP via the IKEv2 configuration payload by using -leftsourceip=%config4,%config6. Gateway moon assigns virtual IPs addresses -from two in-memory pools using the rightsourceip option. The established tunnel -carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat deleted file mode 100644 index dcf573b59..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES -carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d19399def..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config4,%config6 - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0,::/0 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 48e8fc6ff..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0777f6db5..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16,fec1::0/16 - rightsourceip=10.3.0.0/28,fec3::/120 - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat deleted file mode 100644 index e46195cd3..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -alice::ip -6 route del default via fec1:\:1 -carol::ipsec stop -moon::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat deleted file mode 100644 index 9ceefe717..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -alice::ip -6 route add default via fec1:\:1 -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf deleted file mode 100644 index cd03759f0..000000000 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="carol" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2-stroke-bye/lookip/description.txt b/testing/tests/ikev2-stroke-bye/lookip/description.txt deleted file mode 100644 index 0568e4824..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously -increasing order. -

-Using the ipsec lookup tool which communicates with the lookip plugin via a unix -socket, information about the assigned virtual IP is retrieved. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2-stroke-bye/lookip/evaltest.dat b/testing/tests/ikev2-stroke-bye/lookip/evaltest.dat deleted file mode 100644 index 0c4b2c754..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec lookip --lookup PH_IP_CAROL1 2> /dev/null::192.168.0.100.*rw\[1].*carol@strongswan.org::YES -moon:: ipsec lookip --lookup PH_IP_DAVE1 2> /dev/null::192.168.0.200.*rw\[2].*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 952df5e67..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 85c48a7bb..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf deleted file mode 100644 index cabe702e5..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown lookip -} diff --git a/testing/tests/ikev2-stroke-bye/lookip/pretest.dat b/testing/tests/ikev2-stroke-bye/lookip/pretest.dat deleted file mode 100644 index 618bf368f..000000000 --- a/testing/tests/ikev2-stroke-bye/lookip/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt b/testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt deleted file mode 100644 index b8074e665..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarriors alice and venus sitting behind the NAT router moon set up -tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. -Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT -after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively. -

-In order to differentiate between the tunnels to alice and venus, respectively, -XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using -the mark parameter in ipsec.conf. -

-iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to -and from alice and venus, respectively. -

-The script designated by leftupdown=/etc/mark_updown automatically inserts -iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules -that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice -and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat b/testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat deleted file mode 100644 index 33a975ae0..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES -sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES -sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES -moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4510.*: UDP::YES -moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4520.*: UDP::YES -bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 4c29a07d5..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf deleted file mode 100644 index eee4e6edc..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightid=alice@strongswan.org - mark=10/0xffffffff - also=sun - auto=add - -conn venus - rightid=@venus.strongswan.org - mark=20 #0xffffffff is used by default - also=sun - auto=add - -conn sun - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/mark_updown - right=%any - rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown deleted file mode 100755 index 48d5dc151..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/mark_updown +++ /dev/null @@ -1,417 +0,0 @@ -#!/bin/sh -# updown script setting inbound marks on ESP traffic in the mangle chain -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2010 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the reqid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_IF_ID_IN -# is an optional XFRM interface ID set on the inbound IPsec SA -# -# PLUTO_IF_ID_OUT -# is an optional XFRM interface ID set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK="-p $PLUTO_PROTO" - fi - SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf deleted file mode 100644 index 38ef469c5..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn nat-t - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat deleted file mode 100644 index 61adcd2d0..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5af6d2bbc..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftauth=rsa-sha384 - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 3c3d1e51d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftauth=rsa-sha512 - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat deleted file mode 100644 index bcc2cb04d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat deleted file mode 100644 index 7e6b8d151..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES -sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3eaf60a1d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftid=moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftsendcert=never - leftauth=pubkey - leftfirewall=yes - right=sun.strongswan.org - rightid=sun.strongswan.org - rightsubnet=10.2.0.0/16 - rightsendcert=never - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 75c4addda..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftid=sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftcert=sunCert.pem - leftsendcert=never - leftauth=pubkey - leftfirewall=yes - right=moon.strongswan.org - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightsendcert=never - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt b/testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt deleted file mode 100644 index 82874321b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -Using the forecast plugin additionally all 224.0.0.251 mDNS multicasts are going -to be tunneled. -The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, mDNS multicasts sent by alice are -received by bob and vice versa whereas unfortunately multicasts originating -from the gateways moon and sun themselves are not tunneled. diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat deleted file mode 100644 index 7649abc5b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES -alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES -alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO -bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES -bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES -bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 47cd53afe..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16,224.0.0.251/32 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16,224.0.0.251/32 - mark=%unique - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 904a5fa6e..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast - - multiple_authentication = no - plugins { - forecast { - groups = 224.0.0.251 - interface = eth1 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 65a8ced3d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16,224.0.0.251/32 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16,224.0.0.251/32 - mark=%unique - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 904a5fa6e..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast - - multiple_authentication = no - plugins { - forecast { - groups = 224.0.0.251 - interface = eth1 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat deleted file mode 100644 index dff181797..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -sun::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat deleted file mode 100644 index e777dba06..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf b/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf deleted file mode 100644 index 48597379a..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-multicast/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice sun bob" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat deleted file mode 100644 index 2fc102f0b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4251ecd68..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128! - esp=aes128-sha256! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 449ee7989..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128! - esp=aes128-sha256! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat deleted file mode 100644 index bcc2cb04d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat deleted file mode 100644 index c7e2c6162..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat deleted file mode 100644 index cc5483e6b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES -moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES -sun:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES -sun:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8c7918b80..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn dscp-be - leftid=@moon-be - rightid=@sun-be - mark=10 - also=net-net - auto=add - -conn dscp-ef - leftid=@moon-ef - rightid=@sun-ef - mark=20 - also=net-net - auto=add - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftfirewall=yes - leftauth=psk - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightauth=psk diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 9079b520b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 3c4d0a07f..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn dscp-be - leftid=@sun-be - rightid=@moon-be - mark=10 - also=net-net - auto=add - -conn dscp-ef - leftid=@sun-ef - rightid=@moon-ef - mark=20 - also=net-net - auto=add - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftfirewall=yes - leftauth=psk - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightauth=psk diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 1d4ea790a..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf deleted file mode 100644 index a0be3ce18..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat deleted file mode 100644 index 0a34efe9d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::sleep 6::wait for rekeying::NO -moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES -moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES -moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1 -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::sleep 2::wait until inbound SA is deleted::NO -moon::cat /var/log/daemon.log::deleted SAD entry with SPI::2 -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ec3daa00a..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - lifetime=10s - margintime=5s - rekeyfuzz=0% - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8d26c1381..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - # remove rekeyed inbound SA a bit quicker for the test scenario - delete_rekeyed_delay = 2 - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 5b391db4b..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat deleted file mode 100644 index bcc2cb04d..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat deleted file mode 100644 index f0e3588e4..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_.eq=1::YES -bob:: ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES -bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES -bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 077a3ed08..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.0.0.0/14 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.4.0.0/14 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8d89cd0bb..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf deleted file mode 100644 index af85e186a..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.4.0.0/14 - leftupdown=/etc/mark_updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.0.0.0/14 - mark_in=8 - mark_out=4 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 8d89cd0bb..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no -} diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat b/testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat deleted file mode 100644 index 08ca6b54c..000000000 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/description.txt b/testing/tests/ikev2-stroke-bye/protoport-route/description.txt deleted file mode 100644 index ec7ec69b0..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -Using the left|rightprotoport selectors, two IPsec tunnels -between the roadwarrior carol and the gateway moon are -defined. The first IPsec SA is restricted to ICMP packets and the second -covers TCP-based SSH connections. Using add=route %trap -eroutes for these IPsec SAs are prepared on carol. By sending -a ping to the client alice behind moon, the ICMP eroute -is triggered and the corresponding IPsec tunnel is set up. In the same -way an ssh session to alice over the second IPsec SA is established. diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat deleted file mode 100644 index f4b0c7787..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq::YES -carol::ssh PH_IP_ALICE hostname::alice::YES -carol::cat /var/log/daemon.log::creating acquire job::YES -carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES -carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED::YES -moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED::YES -moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f4d112daf..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=route - -conn home-icmp - leftprotoport=icmp - rightprotoport=icmp - -conn home-ssh - leftprotoport=tcp - rightprotoport=tcp/ssh diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bc131cd71..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - leftsubnet=10.1.0.0/16 - right=%any - auto=add - -conn rw-icmp - lefthostaccess=yes - leftprotoport=icmp - rightprotoport=icmp - -conn rw-ssh - leftprotoport=tcp/ssh - rightprotoport=tcp diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat b/testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat deleted file mode 100644 index 8e2c73e29..000000000 --- a/testing/tests/ikev2-stroke-bye/protoport-route/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-icmp -moon::expect-connection rw-ssh -carol::expect-connection home-icmp -carol::expect-connection home-ssh -carol::ssh PH_IP_ALICE hostname -carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat deleted file mode 100644 index dadde1753..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-early/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2277bcd59..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=5s - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fb09e74b3..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=30s - keylife=20m - rekeymargin=0s - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-early/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat deleted file mode 100644 index d6a9809e4..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-late/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES -carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 9de0dda86..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=30s - keylife=20m - rekeymargin=5s - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 225e2aab1..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=3601 - keylife=1200 - rekeymargin=0s - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-late/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat deleted file mode 100644 index 8fe9a2360..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak -winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl -carol::ipsec purgecrls -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::sleep 6 -carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES -carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO -carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::NO diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ec2b41d29..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - keylife=20m - ikelifetime=10s - rekeymargin=5s - rekeyfuzz=0% - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1f0c2fad4..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - - make_before_break = yes -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 93ae34cf7..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=yes - -conn %default - ikelifetime=30m - keylife=20m - rekeymargin=0s - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat deleted file mode 100644 index d7f7959f1..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -carol::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat deleted file mode 100644 index 509457418..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6447b1cca..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keylife=20m - ikelifetime=10s - rekeymargin=5s - rekeyfuzz=0% - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1f0c2fad4..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - - make_before_break = yes -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 121ea7eab..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=30m - keylife=20m - rekeymargin=0s - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/24 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf deleted file mode 100644 index 4a5fc470f..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat b/testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat deleted file mode 100644 index 509457418..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f46405a47..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - keylife=20m - ikelifetime=10s - rekeymargin=5s - rekeyfuzz=0% - keyingtries=1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1f0c2fad4..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - - make_before_break = yes -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2f4557447..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=30m - keylife=20m - rekeymargin=0s - keyingtries=1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf b/testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf deleted file mode 100644 index 4a5fc470f..000000000 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt deleted file mode 100644 index a7410c1b6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -At the outset the gateway authenticates itself to the client by sending an -IKEv2 RSA signature accompanied by a certificate. -The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Authentication and Key Agreement protocol -(EAP-AKA) to authenticate against the gateway. In this scenario, -quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead -of a physical USIM card on the client carol. The USIM provider on -gateway moon also stores the quintuplets in an SQL database. diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat deleted file mode 100644 index b31a46809..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ade0c7c36..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftfirewall=yes - leftauth=eap - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql deleted file mode 100644 index 038c454aa..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql +++ /dev/null @@ -1,9 +0,0 @@ -INSERT INTO quintuplets - (id, used, rand, autn, ck, ik, res) VALUES - ('carol@strongswan.org', 0, - X'00112233445566778899AABBCCDDEEFF', - X'112233445566778899AABBCCDDEEFF00', - X'2233445566778899AABBCCDDEEFF0011', - X'33445566778899AABBCCDDEEFF001122', - X'00112233445566778899' - ); diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql deleted file mode 100644 index 301f2bfd6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql +++ /dev/null @@ -1,10 +0,0 @@ -DROP TABLE IF EXISTS quintuplets; -CREATE TABLE quintuplets ( - id TEXT NOT NULL, - used INTEGER NOT NULL, - rand BLOB NOT NULL, - autn BLOB NOT NULL, - ck BLOB NOT NULL, - ik BLOB NOT NULL, - res BLOB NOT NULL -); diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 81d2c8e74..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - - plugins { - eap-simaka-sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0875bed8b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - right=%any - rightid=*@strongswan.org - rightsendcert=never - rightauth=eap-aka - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql deleted file mode 100644 index 038c454aa..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql +++ /dev/null @@ -1,9 +0,0 @@ -INSERT INTO quintuplets - (id, used, rand, autn, ck, ik, res) VALUES - ('carol@strongswan.org', 0, - X'00112233445566778899AABBCCDDEEFF', - X'112233445566778899AABBCCDDEEFF00', - X'2233445566778899AABBCCDDEEFF0011', - X'33445566778899AABBCCDDEEFF001122', - X'00112233445566778899' - ); diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql deleted file mode 100644 index 301f2bfd6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql +++ /dev/null @@ -1,10 +0,0 @@ -DROP TABLE IF EXISTS quintuplets; -CREATE TABLE quintuplets ( - id TEXT NOT NULL, - used INTEGER NOT NULL, - rand BLOB NOT NULL, - autn BLOB NOT NULL, - ck BLOB NOT NULL, - ik BLOB NOT NULL, - res BLOB NOT NULL -); diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 81d2c8e74..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - - plugins { - eap-simaka-sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat deleted file mode 100644 index 046d4cfdc..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat deleted file mode 100644 index e3d7998a9..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db -moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat deleted file mode 100644 index ab2068aad..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/evaltest.dat +++ /dev/null @@ -1,23 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b8b628758..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap-md5 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf deleted file mode 100644 index f877b773d..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 981dee3cd..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftauth=eap-tls - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 0979b9afd..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey.pem diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 562fce5c2..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 191989e7b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - rightid=*@strongswan.org - rightauth=eap-dynamic - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index c991683b8..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf deleted file mode 100644 index c56ff84da..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown - - plugins { - eap-dynamic { - prefer_user = yes - preferred = md5, tls - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat deleted file mode 100644 index dccf85419..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf deleted file mode 100644 index a5525e6aa..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat deleted file mode 100644 index 7416e55df..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES -moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES -dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES -moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES -dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES -dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ed908db4d..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%any - leftauth=eap - leftfirewall=yes - leftsourceip=%config - eap_identity=carol - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 97aa8bbff..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%any - leftauth=eap - leftfirewall=yes - leftsourceip=%config - eap_identity=dave - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 02e0c9963..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave : EAP "W7R0g3do" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a3299393a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftsubnet=10.1.0.0/16 - leftfirewall=yes - rightsendcert=never - rightauth=eap-radius - rightsourceip=%radius - eap_identity=%any - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat deleted file mode 100644 index c98e8ed53..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat deleted file mode 100644 index 1bf1455fc..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES -moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES -carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES -dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES -moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES -dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES -dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO -dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 53e2be638..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightsubnet=10.1.0.10/32 - also=home - auto=add - -conn venus - rightsubnet=10.1.0.20/32 - also=home - auto=add - -conn home - left=%any - leftauth=eap - leftfirewall=yes - eap_identity=carol - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0250ce3b1..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9428f323a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightsubnet=10.1.0.10/32 - also=home - auto=add - -conn venus - rightsubnet=10.1.0.20/32 - also=home - auto=add - -conn home - left=%any - leftauth=eap - leftfirewall=yes - eap_identity=dave - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 02e0c9963..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave : EAP "W7R0g3do" diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 0250ce3b1..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9dcbcca75..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn research - rightgroups=Research - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn accounting - rightgroups=Accounting - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - rightsendcert=never - rightauth=eap-radius - eap_identity=%any - right=%any diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat deleted file mode 100644 index e63c57e72..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/pretest.dat +++ /dev/null @@ -1,17 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::freeradius -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection research -moon::expect-connection accounting -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up alice -dave::ipsec up venus diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index ddd495699..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 0250ce3b1..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 0250ce3b1..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat deleted file mode 100644 index 046d4cfdc..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat deleted file mode 100644 index df588810a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 10d92873d..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carol_D_cert.der - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index a1a643655..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carol_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 6a0a65efe..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-tls { - max_message_count = 40 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0ab0c4772..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moon_D_cert.der - leftauth=eap-tls - leftfirewall=yes - rightauth=eap-tls - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e02427b6b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moon_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 6a0a65efe..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-tls { - max_message_count = 40 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat deleted file mode 100644 index e8156ea70..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/posttest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/cacerts/* -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat deleted file mode 100644 index bbf5c612a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf deleted file mode 100644 index e093d43d8..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice carol moon" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt deleted file mode 100644 index 3012fc656..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarriors alice and venus sitting behind the router moon set up -tunnels to gateway sun. Since both roadwarriors possess the same 10.1.0.0/25 subnet, -gateway sun uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10 -and PH_IP_DAVE10, respectively. -

-In order to differentiate between the tunnels to alice and venus, respectively, -XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using -the mark_in and mark_out parameters in ipsec.conf. -

-iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to -and from alice and venus, respectively. -

-The script designated by leftupdown=/etc/mark_updown automatically inserts -iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules -that let pass the tunneled traffic. In order to test the tunnel, the hosts alice -and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat deleted file mode 100644 index 489c6d2a2..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES -sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES -moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES -moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES -moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES -bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 726aa616b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf deleted file mode 100644 index f0094e4d7..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightid=alice@strongswan.org - mark_in=10/0xffffffff - mark_out=11/0xffffffff - also=sun - auto=add - -conn venus - rightid=@venus.strongswan.org - mark_in=20 #0xffffffff is used by default - mark_out=21 #0xffffffff is used by default - also=sun - auto=add - -conn sun - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/mark_updown - right=%any - rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown deleted file mode 100755 index 7f54a4888..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/mark_updown +++ /dev/null @@ -1,417 +0,0 @@ -#!/bin/sh -# updown script setting inbound marks on ESP traffic in the mangle chain -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2010 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the reqid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_IF_ID_IN -# is an optional XFRM interface ID set on the inbound IPsec SA -# -# PLUTO_IF_ID_OUT -# is an optional XFRM interface ID set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK="-p esp" - fi - SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf deleted file mode 100644 index cb9b27ed7..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat deleted file mode 100644 index 241826364..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/pretest.dat +++ /dev/null @@ -1,17 +0,0 @@ -alice::iptables-restore < /etc/iptables.rules -venus::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON -sun::ip route add 10.1.0.0/16 via PH_IP_MOON -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 -sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11 -sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21 -sun::ipsec start -alice::ipsec start -venus::ipsec start -sun::expect-connection alice -alice::expect-connection home -alice::ipsec up home -venus::expect-connection home -venus::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt deleted file mode 100644 index 6a42c2bfb..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and -192 bit for carol and dave, respectively. Authentication is based on strong -preshared keys (PSKs). -Both carol and dave request a virtual IP via the IKEv2 configuration payload -by using the leftsourceip=%config parameter. The gateway moon assigns virtual -IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously -increasing order. -

-leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnels, carol and dave then ping -the client alice behind the gateway moon. The source IP addresses of the two -pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat deleted file mode 100644 index 6d5d1cdee..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES -moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6b77b77..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128! - esp=aes128-sha256! - authby=psk - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3e6d33ad9..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720 diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 35233ed32..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 356acb4a1..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ntru192! - esp=aes192-sha384! - authby=psk - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 3c355de51..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8 diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 35233ed32..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf deleted file mode 100644 index cdcebc7a8..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ntru128,aes192-sha384-ntru192! - esp=aes128-sha256,aes192-sha384! - authby=psk - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index a9e89c038..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720 - -moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8 diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 35233ed32..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown - send_vendor_id = yes -} diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat deleted file mode 100644 index b757d8b15..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat deleted file mode 100644 index 1b38f32b7..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -dave::ipsec start -moon::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf b/testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf deleted file mode 100644 index 164b07ff9..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-ntru-psk/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt deleted file mode 100644 index 51286f123..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors carol and dave set up a connection each -to gateway moon. The authentication is based on distinct pre-shared keys -and fully qualified domain names. By setting the wildcard rightid=@*.strongswan.org -on carol and dave, no IDr payloads are sent by the roadwarriors. -In order to test the tunnel, -both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat deleted file mode 100644 index 849d59a4e..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 5bc8dbe3f..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@*.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 47e31ca21..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf deleted file mode 100644 index b91dca901..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 315634745..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@*.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index f6c1a22ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 669e29933..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8dc61b0b3..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn rw - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e6c7420c9..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 669e29933..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat deleted file mode 100644 index ee5bc7c72..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt deleted file mode 100644 index f190cae4b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors carol and dave each set up a connection to gateway moon. -carol's authentication is based on a Pre-Shared Key (PSK) whereas dave's -is based on an RSA signature (RSASIG). Gateway moon supports both authentication modes -and selects the correct roadwarrior connection definition based on the gateway ID -requested by the roadwarrior. - diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat deleted file mode 100644 index ecd86f89a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES -moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES -moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ee62325b7..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 47e31ca21..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 65c9819bb..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c86e82b64..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - -conn rw-rsasig - authby=rsasig - leftcert=moonCert.pem - leftid=@moon.strongswan.org - auto=add - -conn rw-psk - authby=secret - leftid=PH_IP_MOON - auto=add - diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 508d3a941..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat deleted file mode 100644 index c6d53d0e6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-rsasig -moon::expect-connection rw-psk -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt deleted file mode 100644 index b601deea8..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each -to gateway moon. The roadwarriors' authentication is based on -Pre-Shared Keys (PSK) whereas the gateway uses an RSA signature -(RSASIG) certified by an X.509 certificate. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping -the client alice behind the gateway moon. diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat deleted file mode 100644 index e3d58e1ed..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 72e2f7d4a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftid=carol@strongswan.org - leftauth=psk - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 47e31ca21..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf deleted file mode 100644 index cd7c7ae7f..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftid=dave@strongswan.org - leftauth=psk - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index f6c1a22ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5e743101a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - rightauth=psk - rightsourceip=10.3.0.0/28 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 508d3a941..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat deleted file mode 100644 index b192f788f..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES -carol::ipsec down home 2> /dev/null::no output expected::NO -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES -alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES -alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6ebb7c356..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - leftsourceip=%config,%config6 - eap_identity=carol - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 445b100cc..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7d4f94f48..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - rightid=*@strongswan.org - rightsendcert=never - rightauth=eap-radius - rightsourceip=10.3.0.0/24,fec3::0/120 - eap_identity=%any - right=%any - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 75418b8a6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - accounting = yes - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat deleted file mode 100644 index 20849de1a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES -moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES -carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES -moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES -dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES -moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES -dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO -dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b1aa2d99a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightsubnet=10.1.0.10/32 - also=home - auto=add - -conn venus - rightsubnet=10.1.0.20/32 - also=home - auto=add - -conn home - left=%any - leftcert=carolCert.pem - leftauth=pubkey-sha384 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf deleted file mode 100644 index eef3e2622..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn alice - rightsubnet=10.1.0.10/32 - also=home - auto=add - -conn venus - rightsubnet=10.1.0.20/32 - also=home - auto=add - -conn home - left=%any - leftcert=daveCert.pem - leftauth=pubkey-sha512 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=pubkey diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9f9051eeb..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn research - rightauth=pubkey-sha384-sha256 - leftsubnet=10.1.0.0/28 - also=rw - auto=add - -conn accounting - rightauth=pubkey-sha512-sha256 - leftsubnet=10.1.0.16/28 - also=rw - auto=add - -conn rw - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftauth=pubkey - leftfirewall=yes - right=%any diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat b/testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat deleted file mode 100644 index eb31a1f33..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/pretest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection research -moon::expect-connection accounting -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up alice -dave::ipsec up venus diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf b/testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf deleted file mode 100644 index b9e97e43b..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou moon" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="" - diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt b/testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt deleted file mode 100644 index 6f52861e2..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -moon uses whitelisting to grant access to carol with ID carol@strongswan.org -whereas since ID dave@strongswan.org is not listed, dave gets rejected. diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat deleted file mode 100644 index f27e6a03a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES -moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::NO -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8c6c28bd6..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 72b8a59c0..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftsourceip=%config - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 85c48a7bb..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 6145a963a..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac whitelist stroke kernel-netlink socket-default updown - plugins { - whitelist { - enable = yes - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat b/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat deleted file mode 100644 index b757d8b15..000000000 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat b/testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat deleted file mode 100644 index 6484c045a..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/evaltest.dat +++ /dev/null @@ -1,33 +0,0 @@ -moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES -moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES -sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES -dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=2::YES -dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES -dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES -moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES -moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES -moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES -sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES -sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES -sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES -dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES -dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES -carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES -carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES -carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO -moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES -dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES -carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES -sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES -carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES -carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES -carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 0e4eaa1ea..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn trap-any - right=%any - type=transport - authby=psk - auto=add diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 34647bc0b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 709e0c5e4..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 47792af99..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn trap-any - right=%any - rightsubnet=192.168.0.0/30 - type=transport - authby=psk - auto=route - diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 34647bc0b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 5e900fd1b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 650ebddd9..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -# to access the host via SSH in the test environment -conn pass-ssh - authby=never - leftsubnet=0.0.0.0/0[tcp/22] - rightsubnet=0.0.0.0/0[tcp] - type=pass - auto=route - -conn trap-any - right=%any - type=transport - authby=psk - auto=route diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 34647bc0b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 5e900fd1b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf deleted file mode 100644 index ef99cc768..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -# to access the host via SSH in the test environment -conn pass-ssh - authby=never - leftsubnet=0.0.0.0/0[tcp/22] - rightsubnet=0.0.0.0/0[tcp] - type=pass - auto=route - -conn trap-any - right=%any - type=transport - authby=psk - auto=route - diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 34647bc0b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL \ No newline at end of file diff --git a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 5e900fd1b..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - multiple_authentication = no - syslog { - daemon { - knl = 2 - } - } -} diff --git a/testing/tests/ikev2-stroke-bye/trap-any/posttest.dat b/testing/tests/ikev2-stroke-bye/trap-any/posttest.dat deleted file mode 100644 index 1bf206e26..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -carol::ipsec stop -dave::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/trap-any/pretest.dat b/testing/tests/ikev2-stroke-bye/trap-any/pretest.dat deleted file mode 100644 index 0924078b3..000000000 --- a/testing/tests/ikev2-stroke-bye/trap-any/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec start -sun::ipsec start -carol::ipsec start -dave::ipsec start -moon::sleep 1 diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf deleted file mode 100644 index af5fa19ef..000000000 --- a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 93f434598..000000000 --- a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat b/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2-stroke-bye/virtual-ip-override/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat b/testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat deleted file mode 100644 index 4789640ec..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec status 2> /dev/null::alice..*PH_IP_CAROL.*PH_IP_ALICE::YES -moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES -carol::ipsec status 2> /dev/null::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO -moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO -dave:: ipsec status 2> /dev/null::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES -moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES -dave:: ipsec status 2> /dev/null::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO -moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2ff604dfa..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 714f86868..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default -} diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf deleted file mode 100644 index fbdc9c6a3..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ce9e38413..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightid="C=CH, O=strongSwan Project, OU=Research, CN=*" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightid="C=CH, O=strongSwan Project, OU=Accounting, CN=*" - auto=add - diff --git a/testing/tests/ikev2-stroke-bye/wildcards/posttest.dat b/testing/tests/ikev2-stroke-bye/wildcards/posttest.dat deleted file mode 100644 index ed530f6d9..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop diff --git a/testing/tests/ikev2-stroke-bye/wildcards/pretest.dat b/testing/tests/ikev2-stroke-bye/wildcards/pretest.dat deleted file mode 100644 index 96acd254b..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/pretest.dat +++ /dev/null @@ -1,13 +0,0 @@ -carol::ipsec start -dave::ipsec start -moon::ipsec start -moon::expect-connection alice -moon::expect-connection venus -carol::expect-connection alice -carol::expect-connection venus -carol::ipsec up alice -carol::ipsec up venus -dave::expect-connection alice -dave::expect-connection venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev2-stroke-bye/wildcards/test.conf b/testing/tests/ikev2-stroke-bye/wildcards/test.conf deleted file mode 100644 index 9bb88d79f..000000000 --- a/testing/tests/ikev2-stroke-bye/wildcards/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt b/testing/tests/ikev2-stroke/ip-pool-wish/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/description.txt rename to testing/tests/ikev2-stroke/ip-pool-wish/description.txt diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat b/testing/tests/ikev2-stroke/ip-pool-wish/evaltest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/evaltest.dat rename to testing/tests/ikev2-stroke/ip-pool-wish/evaltest.dat diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/compress-nat/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/compress-nat/hosts/bob/etc/strongswan.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat b/testing/tests/ikev2-stroke/ip-pool-wish/posttest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/posttest.dat rename to testing/tests/ikev2-stroke/ip-pool-wish/posttest.dat diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat b/testing/tests/ikev2-stroke/ip-pool-wish/pretest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/pretest.dat rename to testing/tests/ikev2-stroke/ip-pool-wish/pretest.dat diff --git a/testing/tests/ikev2-stroke-bye/farp/test.conf b/testing/tests/ikev2-stroke/ip-pool-wish/test.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/farp/test.conf rename to testing/tests/ikev2-stroke/ip-pool-wish/test.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt b/testing/tests/ikev2-stroke/net2net-pgp-v3/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/description.txt rename to testing/tests/ikev2-stroke/net2net-pgp-v3/description.txt diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v3/evaltest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/evaltest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v3/evaltest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v3/posttest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/posttest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v3/posttest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v3/pretest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/pretest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v3/pretest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf b/testing/tests/ikev2-stroke/net2net-pgp-v3/test.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-cert-sha2/test.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v3/test.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt b/testing/tests/ikev2-stroke/net2net-pgp-v4/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/description.txt rename to testing/tests/ikev2-stroke/net2net-pgp-v4/description.txt diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v4/evaltest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/evaltest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v4/evaltest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v4/posttest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/posttest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v4/posttest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2-stroke/net2net-pgp-v4/pretest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/pretest.dat rename to testing/tests/ikev2-stroke/net2net-pgp-v4/pretest.dat diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf b/testing/tests/ikev2-stroke/net2net-pgp-v4/test.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/test.conf rename to testing/tests/ikev2-stroke/net2net-pgp-v4/test.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/description.txt rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/description.txt diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/evaltest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/evaltest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/evaltest.dat diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/posttest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/protoport-route/posttest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/posttest.dat diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/pretest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/pretest.dat rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/pretest.dat diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/test.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-aka-sql-rsa/test.conf rename to testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/test.conf diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt b/testing/tests/ikev2-stroke/virtual-ip-override/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/description.txt rename to testing/tests/ikev2-stroke/virtual-ip-override/description.txt diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat b/testing/tests/ikev2-stroke/virtual-ip-override/evaltest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/evaltest.dat rename to testing/tests/ikev2-stroke/virtual-ip-override/evaltest.dat diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/carol/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/dpd-hold/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/dave/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/alice/etc/strongswan.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/ipsec.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/hosts/moon/etc/ipsec.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2-stroke-bye/farp/posttest.dat b/testing/tests/ikev2-stroke/virtual-ip-override/posttest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/farp/posttest.dat rename to testing/tests/ikev2-stroke/virtual-ip-override/posttest.dat diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat b/testing/tests/ikev2-stroke/virtual-ip-override/pretest.dat similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/pretest.dat rename to testing/tests/ikev2-stroke/virtual-ip-override/pretest.dat diff --git a/testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf b/testing/tests/ikev2-stroke/virtual-ip-override/test.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/virtual-ip-override/test.conf rename to testing/tests/ikev2-stroke/virtual-ip-override/test.conf diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/description.txt b/testing/tests/ikev2/compress-nat/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/compress-nat/description.txt rename to testing/tests/ikev2/compress-nat/description.txt diff --git a/testing/tests/ikev2/compress-nat/evaltest.dat b/testing/tests/ikev2/compress-nat/evaltest.dat new file mode 100644 index 000000000..f64d6ca4c --- /dev/null +++ b/testing/tests/ikev2/compress-nat/evaltest.dat @@ -0,0 +1,19 @@ +alice::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16 192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=1.* remote-id=alice@strongswan.org initiator-spi=.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16 192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +bob:: swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_BOB local-port=4500 local-id=bob@strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16 192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_SUN remote-port=1.* remote-id=bob@strongswan.org initiator-spi=.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16 192.168.0.100/32] remote-ts=\[10.2.0.0/16]::YES +carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES +carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES +alice::ip xfrm state::proto comp spi::YES +bob:: ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES +alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +bob:: ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES +moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES +sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES +sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf similarity index 66% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf index 93f434598..7625e5066 100644 --- a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b21f4e6ee --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + hub { + remote_addrs = PH_IP_CAROL + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = carol@strongswan.org + } + children { + hub { + local_ts = 10.1.0.0/16 + remote_ts = PH_IP_CAROL/32,10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals =aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bfce295c7 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + hub { + remote_addrs = PH_IP_CAROL + + local { + auth = pubkey + certs = bobCert.pem + id = bob@strongswan.org + } + remote { + auth = pubkey + id = carol@strongswan.org + } + children { + hub { + local_ts = 10.2.0.0/16 + remote_ts = PH_IP_CAROL/32,10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals =aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/compress-nat/hosts/carol/etc/iptables.rules rename to testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..907917c66 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + hub { + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + } + children { + hub { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals =aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat similarity index 56% rename from testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat rename to testing/tests/ikev2/compress-nat/posttest.dat index ddab5f9f9..79c5313e1 100644 --- a/testing/tests/ikev2-stroke-bye/compress-nat/posttest.dat +++ b/testing/tests/ikev2/compress-nat/posttest.dat @@ -1,6 +1,6 @@ -bob::ipsec stop -alice::ipsec stop -carol::ipsec stop +bob::systemctl stop strongswan +alice::systemctl stop strongswan +carol::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat b/testing/tests/ikev2/compress-nat/pretest.dat similarity index 83% rename from testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat rename to testing/tests/ikev2/compress-nat/pretest.dat index 3211bc574..ca7ac234c 100644 --- a/testing/tests/ikev2-stroke-bye/compress-nat/pretest.dat +++ b/testing/tests/ikev2/compress-nat/pretest.dat @@ -11,11 +11,11 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p udp -j SNAT --to-s sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT -carol::ipsec start -alice::ipsec start -bob::ipsec start +carol::systemctl start strongswan +alice::systemctl start strongswan +bob::systemctl start strongswan carol::expect-connection hub alice::expect-connection hub bob::expect-connection hub -alice::ipsec up hub -bob::ipsec up hub +alice::swanctl --initiate --child hub 2> /dev/null +bob::swanctl --initiate --child hub 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/compress-nat/test.conf b/testing/tests/ikev2/compress-nat/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/compress-nat/test.conf rename to testing/tests/ikev2/compress-nat/test.conf index fd0c7f1e3..a7852d813 100644 --- a/testing/tests/ikev2-stroke-bye/compress-nat/test.conf +++ b/testing/tests/ikev2/compress-nat/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon sun" # Used for IPsec logging purposes # IPSECHOSTS="alice carol bob" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt b/testing/tests/ikev2/crl-from-cache/description.txt similarity index 58% rename from testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt rename to testing/tests/ikev2/crl-from-cache/description.txt index 17866f572..c28594c05 100644 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/description.txt +++ b/testing/tests/ikev2/crl-from-cache/description.txt @@ -1,5 +1,5 @@ -By setting strictcrlpolicy=yes a strict CRL policy is enforced on +By setting revocation = strict a strict CRL policy is enforced on both roadwarrior carol and gateway moon. When carol initiates an IPsec connection to moon, both VPN endpoints find a cached CRL in -their /etc/ipsec.d/crls/ directories which allows them to immediately verify +their /etc/swanctl/x509crl/ directories which allows them to immediately verify the certificate received from their peer. diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat new file mode 100644 index 000000000..6165889e8 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sa --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl::YES +moon:: cat /var/log/daemon.log::crl is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::using cached crl::YES +carol::cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::using cached crl::YES diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b05ed2b33 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e84508d19 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..48e34abba --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici + + cache_crls = yes +} diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..47dd36684 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,21 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/ikev2/crl-from-cache/posttest.dat b/testing/tests/ikev2/crl-from-cache/posttest.dat new file mode 100644 index 000000000..f97a66b33 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/posttest.dat @@ -0,0 +1,4 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/x509crl/* +carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2/crl-from-cache/pretest.dat new file mode 100644 index 000000000..010ede700 --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/pretest.dat @@ -0,0 +1,9 @@ +moon::wget -q http://crl.strongswan.org/strongswan.crl +moon::mv strongswan.crl /etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +carol::wget -q http://crl.strongswan.org/strongswan.crl +carol::mv strongswan.crl /etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf rename to testing/tests/ikev2/crl-from-cache/test.conf index 892f51cd9..fdda0a04c 100644 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/test.conf +++ b/testing/tests/ikev2/crl-from-cache/test.conf @@ -19,3 +19,6 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/ikev2/dhcp-dynamic/description.txt b/testing/tests/ikev2/dhcp-dynamic/description.txt index bef542371..83b7e6a89 100644 --- a/testing/tests/ikev2/dhcp-dynamic/description.txt +++ b/testing/tests/ikev2/dhcp-dynamic/description.txt @@ -1,8 +1,9 @@ The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the vips=0.0.0.0 +and request a virtual IP via the IKEv2 configuration payload by using the vips = 0.0.0.0 parameter. The dhcp plugin on gateway moon then requests an IP address and DNS server -information from DHCP server venus using the DHCP protocol. The IP addresses are assigned dynamically -by venus from the pool 10.1.0.50..10.1.0.60 so that carol and dave become full members -of the subnet 10.1.0.0/16 hidden behind gateway moon. And this thanks to the farp plugin -through which moon acts as a proxy for ARP requests e.g. from alice who wants to ping -carol and dave. +information from DHCP server venus using the DHCP protocol. +

+The IP addresses are assigned dynamically by venus from the pool 10.1.0.50..10.1.0.60 so that +carol and dave become full members of the subnet 10.1.0.0/16 hidden behind gateway moon. +And this thanks to the farp plugin through which moon acts as a proxy for ARP requests +e.g. from alice who wants to ping carol and dave. diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt b/testing/tests/ikev2/dhcp-static-client-id/description.txt similarity index 85% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt rename to testing/tests/ikev2/dhcp-static-client-id/description.txt index d253a8865..b79e7c148 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/description.txt +++ b/testing/tests/ikev2/dhcp-static-client-id/description.txt @@ -1,11 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config +and request a virtual IP via the IKEv2 configuration payload by using the vips = 0.0.0.0 parameter. The dhcp plugin on gateway moon then requests an IP address and DNS/WINS server -information from DHCP server venus using the DHCP protocol. The IP addresses are assigned statically +information from DHCP server venus using the DHCP protocol. The IP addresses are assigned statically by venus based on the IKEv2 peer identities carol@strongswan.org and dave@strongswan.org, respectively, included by the dhcp plugin as a dhcp-client-identity option in the DHCP request. -

+

With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, carol and dave become full members of the subnet 10.1.0.0/16 hidden behind gateway moon. And this thanks to the farp plugin through which moon acts as a proxy for ARP requests e.g. from alice -who wants to ping carol and dave. +who wants to ping carol and dave. diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat new file mode 100644 index 000000000..52ada2840 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat @@ -0,0 +1,22 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..9932df379 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3e7139535 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..9932df379 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c9e3c2b0c --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 54% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf index 0883bf058..a4848d951 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8b62b8d5a --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = dhcp + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf rename to testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf rename to testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat similarity index 57% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat rename to testing/tests/ikev2/dhcp-static-client-id/posttest.dat index 669f52e73..84ee53137 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/posttest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan venus::service isc-dhcp-server stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat similarity index 59% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat rename to testing/tests/ikev2/dhcp-static-client-id/pretest.dat index ff3c04b81..d8c1191cd 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat @@ -3,11 +3,11 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf rename to testing/tests/ikev2/dhcp-static-client-id/test.conf index fd8a59c90..853093c96 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/test.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt b/testing/tests/ikev2/dhcp-static-mac/description.txt similarity index 76% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt rename to testing/tests/ikev2/dhcp-static-mac/description.txt index ed7525c87..3a465963b 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/description.txt +++ b/testing/tests/ikev2/dhcp-static-mac/description.txt @@ -1,12 +1,12 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -and request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config +TThe roadwarriors carol and dave set up a connection each to gateway moon +and request a virtual IP via the IKEv2 configuration payload by using the vips = 0.0.0.0 parameter. The dhcp plugin on gateway moon then requests an IP address and DNS/WINS server -information from DHCP server venus using the DHCP protocol. The IP addresses are assigned statically +information from DHCP server venus using the DHCP protocol. The IP addresses are assigned statically by venus based on the user-defined MAC address derived by the dhcp plugin from a hash over the client identity. This deterministic MAC generation is activated with the strongswan.conf setting charon.plugins.dhcp.identity_lease = yes. -

+

With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, carol and dave become full members of the subnet 10.1.0.0/16 hidden behind gateway moon. And this thanks to the farp plugin through which moon acts as a proxy for ARP requests e.g. from alice -who wants to ping carol and dave. +who wants to ping carol and dave. diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat new file mode 100644 index 000000000..a1e1f19bd --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat @@ -0,0 +1,22 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES +carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..9932df379 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3e7139535 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..9932df379 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c9e3c2b0c --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 54% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf index 0883bf058..a4848d951 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8b62b8d5a --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = dhcp + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf rename to testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf rename to testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat similarity index 57% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat rename to testing/tests/ikev2/dhcp-static-mac/posttest.dat index 669f52e73..84ee53137 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/posttest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan venus::service isc-dhcp-server stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat similarity index 59% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat rename to testing/tests/ikev2/dhcp-static-mac/pretest.dat index ff3c04b81..d8c1191cd 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat @@ -3,11 +3,11 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf rename to testing/tests/ikev2/dhcp-static-mac/test.conf index fd8a59c90..853093c96 100644 --- a/testing/tests/ikev2-stroke-bye/dhcp-static-client-id/test.conf +++ b/testing/tests/ikev2/dhcp-static-mac/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/dpd-trap/description.txt b/testing/tests/ikev2/dpd-trap/description.txt new file mode 100644 index 000000000..527a293e4 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/description.txt @@ -0,0 +1,13 @@ +The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon +which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. +When the network connectivity between carol and moon is forcefully disrupted, +moon clears the connection after a number of unsuccessful retransmits. + +The roadwarrior carol sets up an IPsec tunnel connection to the gateway +moon. Both end points activate Dead Peer Detection (DPD) with a +polling interval of 10 s. When the network connectivity between carol +and moon is forcefully disrupted for a duration of 10 s, moon +clears the connection after 2 unsuccessful retransmits whereas carol +also takes down the connection but installs a route which triggers when +carol sends a ping to client alice behind gateway moon. + diff --git a/testing/tests/ikev2/dpd-trap/evaltest.dat b/testing/tests/ikev2/dpd-trap/evaltest.dat new file mode 100644 index 000000000..f3a0c1601 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/evaltest.dat @@ -0,0 +1,17 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +carol::sleep 13::no output expected::NO +carol::cat /var/log/daemon.log::sending DPD request::YES +carol::cat /var/log/daemon.log::retransmit.*of request::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES +moon:: cat /var/log/daemon.log::retransmit.*of request::YES +moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO +carol::sleep 1::no output expected::NO +carol::cat /var/log/daemon.log::creating acquire job for policy::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf index 7a64dce30..d42a9804c 100644 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-trap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-trap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a202bac82 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + dpd_action = trap + } + } + version = 2 + mobike = no + dpd_delay = 10 + } +} diff --git a/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf index 7a64dce30..d42a9804c 100644 --- a/testing/tests/ikev2-stroke-bye/wildcards/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-trap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/dpd-trap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6ca9db7c9 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + dpd_action = clear + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + dpd_delay = 10 + } +} diff --git a/testing/tests/ikev2/dpd-trap/posttest.dat b/testing/tests/ikev2/dpd-trap/posttest.dat new file mode 100644 index 000000000..617eff3d7 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/posttest.dat @@ -0,0 +1,3 @@ +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/dpd-trap/pretest.dat b/testing/tests/ikev2/dpd-trap/pretest.dat new file mode 100644 index 000000000..87be755a3 --- /dev/null +++ b/testing/tests/ikev2/dpd-trap/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf b/testing/tests/ikev2/dpd-trap/test.conf similarity index 87% rename from testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf rename to testing/tests/ikev2/dpd-trap/test.conf index 11423f723..c5b3ecc43 100644 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/test.conf +++ b/testing/tests/ikev2/dpd-trap/test.conf @@ -13,9 +13,13 @@ DIAGRAM="m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon" +TCPDUMPHOSTS="" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/farp/description.txt b/testing/tests/ikev2/farp/description.txt new file mode 100755 index 000000000..051e1a0be --- /dev/null +++ b/testing/tests/ikev2/farp/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up a connection each to gateway +moon and request a virtual IP via the IKEv2 configuration payload by +using the vips = 0.0.0.0 parameter. The virtual addresses assigned to the +clients by gateway moon belong to the subnet 10.1.0.0/16 hidden behind the +gateway so that carol and dave become full members of this network. +And this thanks to the farp plugin through which moon acts as a proxy +for ARP requests e.g. from alice who wants to ping carol and dave. diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat new file mode 100755 index 000000000..292fb7c0a --- /dev/null +++ b/testing/tests/ikev2/farp/evaltest.dat @@ -0,0 +1,28 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES +carol::cat /var/log/daemon.log::installing DNS server 192.168.0.150 to /etc/resolv.conf::YES +carol::cat /var/log/daemon.log::installing DNS server 10.1.0.20 to /etc/resolv.conf::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.1.0.30::YES +dave:: cat /var/log/daemon.log::installing DNS server 192.168.0.150 to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing DNS server 10.1.0.20 to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.1.0.40::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/farp/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3e7139535 --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/farp/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c9e3c2b0c --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ffe2863be --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici attr farp + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a25fc4cc5 --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol_vip + + remote { + auth = pubkey + id = carol@strongswan.org + } + } + + rw-dave { + include swanctl_base.conf + pools = dave_vip + + remote { + auth = pubkey + id = dave@strongswan.org + } + } + +} + +pools { + + carol_vip { + addrs = 10.1.0.30 + } + + dave_vip { + addrs = 10.1.0.40 + } +} diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100755 index 000000000..7819dbf14 --- /dev/null +++ b/testing/tests/ikev2/farp/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,17 @@ + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-curve25519 + } + } + version = 2 + proposals = aes128-sha256-curve25519 diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat new file mode 100755 index 000000000..eb2100856 --- /dev/null +++ b/testing/tests/ikev2/farp/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat old mode 100644 new mode 100755 similarity index 54% rename from testing/tests/ikev2-stroke-bye/farp/pretest.dat rename to testing/tests/ikev2/farp/pretest.dat index 9a3ab8b72..5d467f71f --- a/testing/tests/ikev2-stroke-bye/farp/pretest.dat +++ b/testing/tests/ikev2/farp/pretest.dat @@ -3,11 +3,12 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules alice::arp -d 10.1.0.30 alice::arp -d 10.1.0.40 -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-carol carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw-dave dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf b/testing/tests/ikev2/farp/test.conf old mode 100644 new mode 100755 similarity index 91% rename from testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf rename to testing/tests/ikev2/farp/test.conf index f29298850..1227b9d1c --- a/testing/tests/ikev2-stroke-bye/rw-psk-no-idr/test.conf +++ b/testing/tests/ikev2/farp/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/force-udp-encap/description.txt b/testing/tests/ikev2/force-udp-encap/description.txt new file mode 100644 index 000000000..e0e0e2662 --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/description.txt @@ -0,0 +1,7 @@ +The roadwarrior alice sitting behind the router moon sets up a tunnel to +gateway sun. Since the firewall on sun blocks the ESP protocol, enforced UDP +encapsulation (encap=yes) is used by alice to punch through this hurdle. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, host alice pings the +client bob behind the gateway sun. diff --git a/testing/tests/ikev2/force-udp-encap/evaltest.dat b/testing/tests/ikev2/force-udp-encap/evaltest.dat new file mode 100644 index 000000000..00bed107f --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/evaltest.dat @@ -0,0 +1,6 @@ +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-fake=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_ALICE remote-port=4500 remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[PH_IP_ALICE/32]::YES +alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES +alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > alice.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e590beb6a --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + nat-t { + remote_addrs = PH_IP_SUN + + encap = yes + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2/force-udp-encap/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ea442737c --- /dev/null +++ b/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + local_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encap/posttest.dat similarity index 74% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat rename to testing/tests/ikev2/force-udp-encap/posttest.dat index 03edb42cb..1d83ab62c 100644 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/posttest.dat +++ b/testing/tests/ikev2/force-udp-encap/posttest.dat @@ -1,5 +1,5 @@ -alice::ipsec stop -sun::ipsec stop +alice::systemctl stop strongswan +sun::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encap/pretest.dat similarity index 69% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat rename to testing/tests/ikev2/force-udp-encap/pretest.dat index 65b934f24..6604508de 100644 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/pretest.dat +++ b/testing/tests/ikev2/force-udp-encap/pretest.dat @@ -2,8 +2,8 @@ alice::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON -alice::ipsec start -sun::ipsec start +alice::systemctl start strongswan +sun::systemctl start strongswan sun::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encap/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf rename to testing/tests/ikev2/force-udp-encap/test.conf index 42fa97190..1d91ff9e7 100644 --- a/testing/tests/ikev2-stroke-bye/force-udp-encaps/test.conf +++ b/testing/tests/ikev2/force-udp-encap/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="alice sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/forecast/description.txt rename to testing/tests/ikev2/forecast/description.txt diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat new file mode 100644 index 000000000..aca1851c4 --- /dev/null +++ b/testing/tests/ikev2/forecast/evaltest.dat @@ -0,0 +1,16 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.129/32 10.1.255.255/32 224.0.0.0/4] remote-ts=\[10.1.0.0/16 224.0.0.0/4]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.130/32 10.1.255.255/32 224.0.0.0/4] remote-ts=\[10.1.0.0/16 224.0.0.0/4]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*rw.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.0/4] remote-ts=\[10.1.0.129/32 10.1.255.255/32 224.0.0.0/4]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*rw.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.0/4] remote-ts=\[10.1.0.130/32 10.1.255.255/32 224.0.0.0/4]::YES +alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null +carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null +dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null +carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +moon::iptables -t mangle -L -n -v +carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf similarity index 62% rename from testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf index 48e8fc6ff..c4342f796 100644 --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bae89b6e5 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf similarity index 64% rename from testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf index e3fc4d707..9e77bbfad 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default connmark + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..023ff7b66 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf similarity index 76% rename from testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf index 9cd6f687d..cade47860 100644 --- a/testing/tests/ikev2-stroke-bye/forecast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr forecast + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr forecast syslog { daemon { diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..113ce5934 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + pools = rw + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = *@strongswan.org + } + children { + rw { + local_ts = 10.1.0.0/16,224.0.0.0/4 + remote_ts = dynamic,224.0.0.0/4,10.1.255.255 + + mark_in = %unique + mark_out = %unique + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw { + addrs = 10.1.0.128/26 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat rename to testing/tests/ikev2/forecast/posttest.dat index b757d8b15..0569758a3 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/posttest.dat +++ b/testing/tests/ikev2/forecast/posttest.dat @@ -1,6 +1,6 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan +dave::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat new file mode 100644 index 000000000..6020ff4d2 --- /dev/null +++ b/testing/tests/ikev2/forecast/pretest.dat @@ -0,0 +1,8 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/ikev2-stroke-bye/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/forecast/test.conf rename to testing/tests/ikev2/forecast/test.conf index 13b3927ae..fb82aa1f1 100644 --- a/testing/tests/ikev2-stroke-bye/forecast/test.conf +++ b/testing/tests/ikev2/forecast/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon carol dave" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/host2host-transport-connmark/description.txt rename to testing/tests/ikev2/host2host-transport-connmark/description.txt diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat new file mode 100644 index 000000000..8e9c143e6 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat @@ -0,0 +1,8 @@ +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*mark-in=00000001 mark-out=00000001 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*mark-in=00000002 mark-out=00000002 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES +alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES +venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES +sun::iptables -t mangle -L -n -v +sun::conntrack -L diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b537a5881 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + nat-t { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + mode = transport + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf similarity index 66% rename from testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf index 93f434598..1194f8aa9 100644 --- a/testing/tests/ikev2-stroke-bye/ip-pool-wish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default connmark } diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c878dba28 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + mode = transport + + mark_in = %unique + mark_out = %unique + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5640f5a29 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + nat-t { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + mode = transport + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat new file mode 100644 index 000000000..5988c637e --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat @@ -0,0 +1,5 @@ +alice::systemctl stop strongswan +venus::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat similarity index 65% rename from testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat rename to testing/tests/ikev2/host2host-transport-connmark/pretest.dat index 2c40b3801..94e9f7744 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/pretest.dat +++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat @@ -2,11 +2,11 @@ moon::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT -sun::ipsec start -alice::ipsec start -venus::ipsec start +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan sun::expect-connection nat-t alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t venus::expect-connection nat-t -venus::ipsec up nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf rename to testing/tests/ikev2/host2host-transport-connmark/test.conf index 8c2facefd..817550391 100644 --- a/testing/tests/ikev2-stroke-bye/host2host-transport-connmark/test.conf +++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun alice venus moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf deleted file mode 100644 index b416b30b8..000000000 --- a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn nat-t - leftcert=venusCert.pem - leftid=venus@strongswan.org - leftfirewall=yes - right=192.168.0.2 - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt b/testing/tests/ikev2/inactivity-timeout/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/inactivity-timeout/description.txt rename to testing/tests/ikev2/inactivity-timeout/description.txt diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat new file mode 100644 index 000000000..5be5e3bac --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::sleep 11::NO +carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES +carol::cat /var/log/daemon.log::sending DELETE for ESP CHILD_SA::YES +moon:: cat /var/log/daemon.log::received DELETE for ESP CHILD_SA::YES +moon:: cat /var/log/daemon.log::sending DELETE for ESP CHILD_SA::YES +carol::cat /var/log/daemon.log::received DELETE for ESP CHILD_SA::YES +carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf similarity index 68% rename from testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf index 7a64dce30..d42a9804c 100644 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ec89acffd --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals =aes128gcm16-x25519 + inactivity = 10s + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d42a9804c --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e90f3df61 --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat new file mode 100644 index 000000000..ec5d4c48a --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat @@ -0,0 +1,2 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat new file mode 100644 index 000000000..87be755a3 --- /dev/null +++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home diff --git a/testing/tests/ikev2-stroke-bye/dpd-hold/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf similarity index 79% rename from testing/tests/ikev2-stroke-bye/dpd-hold/test.conf rename to testing/tests/ikev2/inactivity-timeout/test.conf index f8b62b953..c5b3ecc43 100644 --- a/testing/tests/ikev2-stroke-bye/dpd-hold/test.conf +++ b/testing/tests/ikev2/inactivity-timeout/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="m-c-w.png" # Guest instances on which tcpdump is to be started # @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt b/testing/tests/ikev2/ip-split-pools-db/description.txt old mode 100644 new mode 100755 similarity index 85% rename from testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt rename to testing/tests/ikev2/ip-split-pools-db/description.txt index 0c11c7eed..6ec3f333e --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/description.txt +++ b/testing/tests/ikev2/ip-split-pools-db/description.txt @@ -1,6 +1,7 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. Both carol and dave request a virtual IP via the IKEv2 configuration payload. The gateway moon assigns virtual IP addresses from two disjoint pools named pool0 comprising the single address 10.3.0.1 and pool1 comprising the -single address 10.3.1.1 predefined in the SQL database. +single address 10.3.1.1 predefined in the SQL database. + diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat new file mode 100755 index 000000000..84bcc46ae --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.1.1] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES +moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES +moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..826f479d1 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..58e416873 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..826f479d1 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..66785805d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ab8dc4246 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default sqlite attr-sql vici + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite + database = sqlite:///etc/db.d/ipsec.db +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..255e64303 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = pool0, pool1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat new file mode 100755 index 000000000..d1d8c7d7d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::ipsec pool --del pool0 2> /dev/null +moon::ipsec pool --del pool1 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat old mode 100644 new mode 100755 similarity index 69% rename from testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat rename to testing/tests/ikev2/ip-split-pools-db/pretest.dat index 5c6143dc7..f310dfe8b --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat @@ -3,11 +3,11 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null moon::ipsec pool --status 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf old mode 100644 new mode 100755 similarity index 89% rename from testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf rename to testing/tests/ikev2/ip-split-pools-db/test.conf index 31820ea1a..1021e72d2 --- a/testing/tests/ikev2-stroke-bye/ip-split-pools-db/test.conf +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="" # Guest instances on which IPsec is started # Used for IPsec logging purposes @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools-mixed/description.txt b/testing/tests/ikev2/ip-two-pools-mixed/description.txt new file mode 100755 index 000000000..422e1ad1d --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/description.txt @@ -0,0 +1,9 @@ +The hosts alice and carol set up a tunnel connection each to gateway moon. +Both hosts request a virtual IP via the IKEv2 configuration payload. +Gateway moon assigns virtual IP addresses from pool1 with an address range of +10.3.0.0/28 to hosts connecting to the eth0 (192.168.0.1) interface and +virtual IP addresses from an SQLite-based pool named intpool [10.4.0.1..10.4.1.244] to +hosts connecting to the eth1 (10.1.0.1) interface. +

+Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +both ping the gateway moon. diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat new file mode 100755 index 000000000..ed09da435 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat @@ -0,0 +1,17 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES +moon:: cat /var/log/daemon.log::added vici pool pool1: 10.3.0.0, 14 entries::YES +moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..509fe678f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 10.1.0.10 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..60b216e62 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..fba531a52 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite + database = sqlite:///etc/db.d/ipsec.db +} \ No newline at end of file diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1210d8e7f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,52 @@ +connections { + + rw1 { + local_addrs = 192.168.0.1 + pools = pool1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw1 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + rw2 { + local_addrs = 10.1.0.1 + pools = intpool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw2 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + pool1 { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat new file mode 100755 index 000000000..f0a8f0f64 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +alice::swanctl --terminate --ike home +carol::systemctl stop strongswan +alice::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat old mode 100644 new mode 100755 similarity index 62% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat rename to testing/tests/ikev2/ip-two-pools-mixed/pretest.dat index 094dfd8df..0cbba8b72 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat @@ -4,12 +4,12 @@ moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -alice::ipsec start -moon::expect-connection int -moon::expect-connection ext +moon::systemctl start strongswan +carol::systemctl start strongswan +alice::systemctl start strongswan +moon::expect-connection rw1 carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw2 alice::expect-connection home -alice::ipsec up home +alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf old mode 100644 new mode 100755 similarity index 74% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf rename to testing/tests/ikev2/ip-two-pools-mixed/test.conf index 0c1b38d49..d4d3dd3dd --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-mixed/test.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf @@ -5,7 +5,7 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # @@ -13,13 +13,17 @@ DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="alice carol" +TCPDUMPHOSTS="carol alice" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="alice moon carol" +IPSECHOSTS="moon carol alice" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt old mode 100644 new mode 100755 similarity index 55% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt rename to testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt index 7e8e7a69b..8d1e2eaa5 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/description.txt +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt @@ -1,5 +1,5 @@ The host carol sets up a tunnel connection to gateway moon. It requests both an IPv4 and an IPv6 virtual IP via the IKEv2 configuration payload by using -leftsourceip=%config4,%config6. Gateway moon assigns virtual IPs addresses -from persistent pools stored in an SQL database using the rightsourceip option. -The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. +vips = 0.0.0.0,0::0. GGateway moon assigns virtual IPs addresses +from persistent pools stored in an SQL database. +The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. \ No newline at end of file diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat new file mode 100755 index 000000000..dbe61c4d0 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat @@ -0,0 +1,11 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1 fec3::1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32 fec3::1/128] remote-ts=\[10.1.0.0/16 fec1::/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1 fec3::1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 fec1::/16] remote-ts=\[10.3.0.1/32 fec3::1/128]::YES +moon:: ipsec pool --status 2> /dev/null::pool_v4.*10.3.0.1.*10.3.1.254.*48h.*510 .*1 .*1 ::YES +moon:: ipsec pool --status 2> /dev/null::pool_v6.*fec3:\:1.*fec3:\:fe.*48h.*254 .*1 .*1 ::YES +moon:: ipsec pool --leases --filter pool=pool_v4,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=pool_v6,addr=fec3::1,id=carol@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES +carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..826f479d1 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..860e79d06 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0, 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0.0.0.0/0,::/0 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..330ce96ca --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici sqlite attr-sql + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite + database = sqlite:///etc/db.d/ipsec.db +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5089c3f5f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + rw { + pools = pool_v4, pool_v6 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw { + local_ts = 10.1.0.0/16,fec1::0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat new file mode 100755 index 000000000..9690841d1 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +alice::ip -6 route del default via fec1:\:1 diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat old mode 100644 new mode 100755 similarity index 55% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat rename to testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat index dcc47f54e..0a4fa9855 --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat @@ -1,10 +1,10 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db -moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null -moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null +moon::ipsec pool --add pool_v4 --start 10.3.0.1 --end 10.3.1.254 --timeout 48 2> /dev/null +moon::ipsec pool --add pool_v6 --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null alice::ip -6 route add default via fec1:\:1 -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf old mode 100644 new mode 100755 similarity index 80% rename from testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf rename to testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf index 60819189c..af7a6c6be --- a/testing/tests/ikev2-stroke-bye/ip-two-pools-v4v6-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w.png" # Guest instances on which tcpdump is to be started # @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt new file mode 100755 index 000000000..79782a93c --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt @@ -0,0 +1,5 @@ +The host carol sets up a tunnel connection to gateway moon. It requests +both an IPv4 and an IPv6 virtual IP via the IKEv2 configuration payload by using +vips = 0.0.0.0,0::0. Gateway moon assigns virtual IPs addresses +from two in-memory pools defined in the pools section. The established tunnel +carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. \ No newline at end of file diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat new file mode 100755 index 000000000..f6a5cd2a6 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat @@ -0,0 +1,7 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1 fec3::1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32 fec3::1/128] remote-ts=\[10.1.0.0/16 fec1::/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1 fec3::1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 fec1::/16] remote-ts=\[10.3.0.1/32 fec3::1/128]::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES +carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..826f479d1 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..860e79d06 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0, 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0.0.0.0/0,::/0 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..826f479d1 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..13f26e771 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + pools = pool_v4, pool_v6 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw { + local_ts = 10.1.0.0/16,fec1::0/16 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + pool_v4 { + addrs = 10.3.0.0/28 + } + pool_v6 { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat new file mode 100755 index 000000000..9690841d1 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +alice::ip -6 route del default via fec1:\:1 diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat new file mode 100755 index 000000000..eb259674d --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat @@ -0,0 +1,6 @@ +alice::ip -6 route add default via fec1:\:1 +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf new file mode 100755 index 000000000..041fd8421 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat index fb6cb5279..d5c3114b3 100755 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -4,8 +4,9 @@ alice::iptables-restore < /etc/iptables.rules moon::systemctl start strongswan carol::systemctl start strongswan alice::systemctl start strongswan -moon::expect-connection rw +moon::expect-connection rw1 carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +moon::expect-connection rw2 alice::expect-connection home alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/lookip/description.txt b/testing/tests/ikev2/lookip/description.txt new file mode 100644 index 000000000..cffb67661 --- /dev/null +++ b/testing/tests/ikev2/lookip/description.txt @@ -0,0 +1,13 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via IKEv2 configuration +payloads by using the vips = 0.0.0.0 parameter. +moon assigns virtual IP addresses from a simple pool defined in the pools section +of swanctl.conf in a monotonously increasing order. +

+Using the lookip --lookup command, which communicates with the lookip plugin +via a UNIX socket, information about the assigned virtual IPs is retrieved. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/ikev2/lookip/evaltest.dat b/testing/tests/ikev2/lookip/evaltest.dat new file mode 100644 index 000000000..7b0df3ab0 --- /dev/null +++ b/testing/tests/ikev2/lookip/evaltest.dat @@ -0,0 +1,18 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: /usr/local/libexec/ipsec/lookip --lookup PH_IP_CAROL1 2> /dev/null::192.168.0.100.*rw\[1].*carol@strongswan.org::YES +moon:: /usr/local/libexec/ipsec/lookip --lookup PH_IP_DAVE1 2> /dev/null::192.168.0.200.*rw\[2].*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/lookip/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..15e80d2aa --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/lookip/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5b14d36ef --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514024 --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl vici kernel-netlink socket-default updown lookip +} diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/lookip/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d1386f22d --- /dev/null +++ b/testing/tests/ikev2/lookip/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + rw { + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/ikev2-stroke-bye/lookip/posttest.dat b/testing/tests/ikev2/lookip/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/lookip/posttest.dat rename to testing/tests/ikev2/lookip/posttest.dat index b757d8b15..e5c82ef20 100644 --- a/testing/tests/ikev2-stroke-bye/lookip/posttest.dat +++ b/testing/tests/ikev2/lookip/posttest.dat @@ -1,6 +1,6 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/lookip/pretest.dat similarity index 55% rename from testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat rename to testing/tests/ikev2/lookip/pretest.dat index e87a8ee47..096ebd6f7 100644 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/ikev2/lookip/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf b/testing/tests/ikev2/lookip/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf rename to testing/tests/ikev2/lookip/test.conf index 164b07ff9..a542d037e 100644 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/test.conf +++ b/testing/tests/ikev2/lookip/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt new file mode 100644 index 000000000..730cfd5b0 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/description.txt @@ -0,0 +1,13 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT +after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +

+In order to differentiate between the tunnels to alice and venus, respectively, +XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using +the mark_in and mark_out options. With the set_mark_in option, the +corresponding mark is applied to the inbound packets after decryption. Return traffic is +marked via iptables -t mangle rules in the PREROUTING chain. +

+In order to test the tunnel, the NAT-ed hosts alice +and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat new file mode 100644 index 000000000..7d576af47 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat @@ -0,0 +1,14 @@ +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d230879fa --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + nat-t { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + local_ts = 10.1.0.0/25 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf similarity index 72% rename from testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf index 9691dd22f..1d8cb3524 100644 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown syslog { daemon { knl = 2 diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d6264670d --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,52 @@ +connections { + + alice : connections.nat-t { + remote { + id = alice@strongswan.org + } + children { + nat-t { + mark_in = 10 + set_mark_in = %same + mark_out = 10 + } + } + } + + venus : connections.nat-t { + remote { + id = venus.strongswan.org + } + children { + nat-t { + mark_in = 20 + set_mark_in = %same + mark_out = 20 + } + } + } + + nat-t { + local_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..63dd6964f --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + nat-t { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + local_ts = 10.1.0.0/25 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat similarity index 65% rename from testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat rename to testing/tests/ikev2/nat-rw-mark/posttest.dat index 343fcc15b..d0f0eb8b0 100644 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/posttest.dat +++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat @@ -1,10 +1,8 @@ sun::iptables -t mangle -v -n -L PREROUTING -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +sun::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat similarity index 66% rename from testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat rename to testing/tests/ikev2/nat-rw-mark/pretest.dat index e3dfc65d2..ce2d3f485 100644 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/pretest.dat +++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat @@ -6,16 +6,18 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 -sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20 -sun::ipsec start -alice::ipsec start -venus::ipsec start +# NAT client traffic to distinct virtual IPs +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +# mark the return traffic accordingly +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan sun::expect-connection alice sun::expect-connection venus alice::expect-connection nat-t -alice::ipsec up nat-t +alice::swanctl --initiate --child nat-t venus::expect-connection nat-t -venus::ipsec up nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf rename to testing/tests/ikev2/nat-rw-mark/test.conf index 105472cbe..295a081b8 100644 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/test.conf +++ b/testing/tests/ikev2/nat-rw-mark/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon bob" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat index cd171e8c9..be5f7ccc9 100644 --- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat @@ -6,7 +6,7 @@ bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES -sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat index ae6aaed33..c0830952e 100644 --- a/testing/tests/ikev2/nat-rw/evaltest.dat +++ b/testing/tests/ikev2/nat-rw/evaltest.dat @@ -6,7 +6,7 @@ bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES -sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt similarity index 84% rename from testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt rename to testing/tests/ikev2/net2net-cert-sha2/description.txt index c659b4c47..051e8f133 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/description.txt +++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt @@ -1,7 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates using SHA-2 to create signatures as enabled by the IKEv2 Signature Authentication extension described in RFC 7427. -Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat new file mode 100644 index 000000000..a9abc6034 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..48e2d18f7 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = rsa-sha384 + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f92946f91 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = rsa-sha512 + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat rename to testing/tests/ikev2/net2net-cert-sha2/posttest.dat index 837738fc6..c2dff4e25 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/posttest.dat +++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat new file mode 100644 index 000000000..f43de97b0 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::systemctl start strongswan +moon::systemctl start strongswan +sun::expect-connection gw-gw +moon::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf rename to testing/tests/ikev2/net2net-cert-sha2/test.conf index afa2accbe..87abc763b 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-pgp-v3/test.conf +++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt b/testing/tests/ikev2/net2net-dnscert/description.txt similarity index 70% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt rename to testing/tests/ikev2/net2net-dnscert/description.txt index 40c112bc4..140d114f2 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/description.txt +++ b/testing/tests/ikev2/net2net-dnscert/description.txt @@ -2,7 +2,7 @@ A connection between the subnets behind the gateways moon and sun The authentication is based on trustworthy public keys stored as CERT resource records in the Domain Name System (DNS) and protected by DNSSEC.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-dnscert/evaltest.dat b/testing/tests/ikev2/net2net-dnscert/evaltest.dat new file mode 100644 index 000000000..bf18c0a43 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/evaltest.dat @@ -0,0 +1,7 @@ +moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/resolv.conf rename to testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf similarity index 56% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf index b73dd8a5f..a8d4fc4fd 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf @@ -1,15 +1,19 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown plugins { dnscert { enable = yes } unbound { - # trust_anchors = /etc/ipsec.d/dnssec.keys - # resolv_conf = /etc/resolv.conf + trust_anchors = /etc/swanctl/dnssec.keys + resolv_conf = /etc/resolv.conf } } } diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6eec66dd7 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = sun.strongswan.org + + send_cert = never + send_certreq = no + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/iptables.rules rename to testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/resolv.conf rename to testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf similarity index 56% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf index b73dd8a5f..a8d4fc4fd 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf @@ -1,15 +1,19 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown plugins { dnscert { enable = yes } unbound { - # trust_anchors = /etc/ipsec.d/dnssec.keys - # resolv_conf = /etc/resolv.conf + trust_anchors = /etc/swanctl/dnssec.keys + resolv_conf = /etc/resolv.conf } } } diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/dnssec.keys similarity index 100% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys rename to testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8dbfff764 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = moon.strongswan.org + + send_cert = never + send_certreq = no + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat b/testing/tests/ikev2/net2net-dnscert/posttest.dat similarity index 51% rename from testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat rename to testing/tests/ikev2/net2net-dnscert/posttest.dat index c594c4dc8..092ecd863 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-dnscert/posttest.dat +++ b/testing/tests/ikev2/net2net-dnscert/posttest.dat @@ -1,8 +1,8 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::rm /etc/swanctl/dnssec.keys +sun::rm /etc/swanctl/dnssec.keys moon::rm /etc/resolv.conf sun::rm /etc/resolv.conf -moon::rm /etc/ipsec.d/dnssec.keys -sun::rm /etc/ipsec.d/dnssec.keys +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat new file mode 100644 index 000000000..567e92816 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/swanctl/x509ca/* +sun::rm /etc/swanctl/x509ca/* +sun::systemctl start strongswan +moon::systemctl start strongswan +sun::expect-connection net-net +moon::expect-connection net-net +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-dnscert/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf rename to testing/tests/ikev2/net2net-dnscert/test.conf index afa2accbe..87abc763b 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-pgp-v4/test.conf +++ b/testing/tests/ikev2/net2net-dnscert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat index 3eb4ac13b..94da1be46 100755 --- a/testing/tests/ikev2/net2net-dnssec/posttest.dat +++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat @@ -2,5 +2,7 @@ moon::systemctl stop strongswan sun::systemctl stop strongswan moon::cd /etc/swanctl; rm dnssec.keys pubkey/* sun::cd /etc/swanctl; rm dnssec.keys pubkey/* +moon::rm /etc/resolv.conf +sun::rm /etc/resolv.conf moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt old mode 100644 new mode 100755 similarity index 76% rename from testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt rename to testing/tests/ikev2/net2net-ntru-bandwidth/description.txt index aab0c68c4..6fd26868f --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/description.txt +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt @@ -1,9 +1,9 @@ A connection between the subnets behind the gateways moon and sun is set up. The key exchange is based on NTRU encryption with a security strength of 128 bits. The ANSI X9.98 NTRU encryption parameter set used is optimized for bandwidth. +The authentication is based on X.509 certificates.

-The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat new file mode 100755 index 000000000..3907f1bab --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 63% rename from testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf index 3601cdb4e..58dee1d0d --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9482930ba --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ntru128 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ntru128 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 63% rename from testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf index 3601cdb4e..86ffe24af --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes @@ -17,4 +21,4 @@ charon { parameter_set = x9_98_bandwidth } } -} +} \ No newline at end of file diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..215b9b9fb --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ntru128 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ntru128 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat old mode 100644 new mode 100755 similarity index 58% rename from testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat rename to testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat index 837738fc6..82a2de139 --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/posttest.dat +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat @@ -1,5 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat new file mode 100755 index 000000000..2d3c8c1e2 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf old mode 100644 new mode 100755 similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf rename to testing/tests/ikev2/net2net-ntru-bandwidth/test.conf index 646b8b3e6..07a3b247a --- a/testing/tests/ikev2-stroke-bye/net2net-ntru-bandwidth/test.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt b/testing/tests/ikev2/net2net-psk-dscp/description.txt similarity index 88% rename from testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt rename to testing/tests/ikev2/net2net-psk-dscp/description.txt index d4aefd5ce..8bacb3fda 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/description.txt +++ b/testing/tests/ikev2/net2net-psk-dscp/description.txt @@ -7,7 +7,7 @@ The authentication is based on a pre-shared key (PSK). In order to guaran the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat new file mode 100644 index 000000000..bad267b40 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat @@ -0,0 +1,8 @@ +moon::swanctl --list-sas --raw 2> /dev/null::dscp-be.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon-be remote-host=PH_IP_SUN remote-port=500 remote-id=sun-be initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::dscp-ef.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon-ef remote-host=PH_IP_SUN remote-port=500 remote-id=sun-ef initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::dscp-be.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun-be remote-host=PH_IP_MOON remote-port=500 remote-id=moon-be.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::dscp-ef.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun-ef remote-host=PH_IP_MOON remote-port=500 remote-id=moon-ef.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3d431a5fe --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6f83e0326 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,54 @@ +connections { + + dscp-be { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = psk + id = moon-be + } + remote { + auth = psk + id = sun-be + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + mark_in = 10 + mark_out = 10 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } + + dscp-ef : connections.dscp-be { + local { + id = moon-ef + } + remote { + id = sun-ef + } + children { + net-net { + mark_in = 20 + mark_out = 20 + } + } + } +} + +secrets { + ike { + id-be = sun-be + id-ef = sun-ef + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf similarity index 59% rename from testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf index a0be3ce18..da6ffa8c0 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown multiple_authentication = no syslog { daemon { diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..17c604e7f --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +dscp-base { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = psk + } + remote { + auth = psk + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 +} + +connections { + + dscp-be : dscp-base { + local { + id = sun-be + } + remote { + id = moon-be + } + children { + net-net { + mark_in = 10 + mark_out = 10 + } + } + } + + dscp-ef : dscp-base { + local { + id = sun-ef + } + remote { + id = moon-ef + } + children { + net-net { + mark_in = 20 + mark_out = 20 + } + } + } +} + +secrets { + ike { + id-be = moon-be + id-ef = moon-ef + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat similarity index 75% rename from testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat rename to testing/tests/ikev2/net2net-psk-dscp/posttest.dat index 21a22bfb8..8c9a5f9ba 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/posttest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush alice::iptables -t mangle -F OUTPUT diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat similarity index 75% rename from testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat rename to testing/tests/ikev2/net2net-psk-dscp/pretest.dat index 925b773fd..25b063bf4 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -1,7 +1,7 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 @@ -10,10 +10,10 @@ bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-clas bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 -sun::ipsec start -moon::ipsec start +sun::systemctl start strongswan +moon::systemctl start strongswan sun::expect-connection dscp-ef moon::expect-connection dscp-be -moon::ipsec up dscp-be +moon::swanctl --initiate --ike dscp-be --child net-net moon::expect-connection dscp-ef -moon::ipsec up dscp-ef +moon::swanctl --initiate --ike dscp-ef --child net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf rename to testing/tests/ikev2/net2net-psk-dscp/test.conf index 10c582c9b..7f82c02f1 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-psk-dscp/test.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt b/testing/tests/ikev2/net2net-rekey/description.txt similarity index 73% rename from testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt rename to testing/tests/ikev2/net2net-rekey/description.txt index c3122a76f..bb0858ee1 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/description.txt +++ b/testing/tests/ikev2/net2net-rekey/description.txt @@ -1,9 +1,9 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -After a while the CHILD_SA is rekeyed by moon (after a deliberately short -time in this test scenario). +After a while, the CHILD_SA is rekeyed by moon (after a deliberately short +time in this test scenario).
In order to test both tunnel and firewall after the rekeying, client alice behind gateway moon pings client bob located behind gateway sun twice, once right after the rekeying and once after the old inbound SA has been diff --git a/testing/tests/ikev2/net2net-rekey/evaltest.dat b/testing/tests/ikev2/net2net-rekey/evaltest.dat new file mode 100644 index 000000000..2c9b8cb2a --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/evaltest.dat @@ -0,0 +1,12 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +moon::sleep 6::wait for rekeying::NO +moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES +moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES +moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1 +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::sleep 2::wait until inbound SA is deleted::NO +moon::cat /var/log/daemon.log::deleted SAD entry with SPI::2 +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9d70a684b --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + # remove rekeyed inbound SA a bit quicker for the test scenario + delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..38ec29ffc --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + # short lifetimes for testing purposes + rekey_time = 5s + life_time = 10s + rand_time = 0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..107aec246 --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-rekey/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat rename to testing/tests/ikev2/net2net-rekey/posttest.dat index 837738fc6..82a2de139 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-cert-sha2/posttest.dat +++ b/testing/tests/ikev2/net2net-rekey/posttest.dat @@ -1,5 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/net2net-rekey/pretest.dat b/testing/tests/ikev2/net2net-rekey/pretest.dat new file mode 100644 index 000000000..f43de97b0 --- /dev/null +++ b/testing/tests/ikev2/net2net-rekey/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::systemctl start strongswan +moon::systemctl start strongswan +sun::expect-connection gw-gw +moon::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf b/testing/tests/ikev2/net2net-rekey/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf rename to testing/tests/ikev2/net2net-rekey/test.conf index afa2accbe..87abc763b 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-rekey/test.conf +++ b/testing/tests/ikev2/net2net-rekey/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt index 20640ef85..db28b577e 100755 --- a/testing/tests/ikev2/net2net-route/description.txt +++ b/testing/tests/ikev2/net2net-route/description.txt @@ -1,9 +1,9 @@ A tunnel that will connect the subnets behind the gateways moon and sun, respectively, is preconfigured by installing a %trap eroute -on gateway moon by means of the setting auto=route in ipsec.conf. +on gateway moon by means of the setting start_action = trap in swanctl.conf. A subsequent ping issued by client alice behind gateway moon to bob located behind gateway sun triggers the %trap eroute and leads to the automatic establishment of the subnet-to-subnet tunnel. -

+

The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt b/testing/tests/ikev2/net2net-same-nets/description.txt similarity index 61% rename from testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt rename to testing/tests/ikev2/net2net-same-nets/description.txt index d0eb3374f..5a19529fe 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/description.txt +++ b/testing/tests/ikev2/net2net-same-nets/description.txt @@ -4,12 +4,11 @@ sees the subnet behind sun as 10.4.0.0/14 whereas the subnet behin sees the subnet behind moon as 10.8.0.0/14. The necessary network mappings are done on gateway sun using the iptables MARK and NETMAP targets.

-Upon the successful establishment of the IPsec tunnel, on gateway moon the directive -leftfirewall=yes automatically inserts iptables-based firewall rules that let pass -the tunneled traffic whereas on gateway sun the script indicated by -leftupdown=/etc/mark_updown inserts iptables rules that set marks defined in the -connection definition of ipsec.conf both on the inbound and outbound traffic, create -the necessary NETMAP operations and forward the tunneled traffic. +Upon the successful establishment of the IPsec tunnel, on gateway moon the updown +script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. On gateway sun, a custom updown script +inserts iptables rules that create the necessary NETMAP operations and forward the +tunneled traffic.

In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun and vice versa. diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat new file mode 100644 index 000000000..55c8fb441 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat @@ -0,0 +1,10 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.0.0.0/14] remote-ts=\[10.4.0.0/14]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000008 mark-out=00000004 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.0/14] remote-ts=\[10.0.0.0/14]::YES +alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_.eq=1::YES +bob:: ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..dcdd99e57 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.0.0.0/14 + remote_ts = 10.4.0.0/14 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown similarity index 92% rename from testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown rename to testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown index 3ace019a1..6b60947c7 100755 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -161,18 +161,6 @@ OUT_NET="10.8.0.0/14" # define internal interface INT_INTERFACE="eth1" -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK_IN="-p esp" - fi - SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - # is there an outbound mark to be set? if [ -n "$PLUTO_MARK_OUT" ] then @@ -189,16 +177,15 @@ up-client:) # If you are doing a custom version, firewall commands go here. if [ -n "$PLUTO_MARK_IN" ] then - iptables -t mangle -A PREROUTING $SET_MARK_IN iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -d $IN_NET -j NETMAP --to $SAME_NET + -d $IN_NET -j NETMAP --to $SAME_NET iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -s $SAME_NET -j NETMAP --to $OUT_NET + -s $SAME_NET -j NETMAP --to $OUT_NET fi if [ -n "$PLUTO_MARK_OUT" ] then - iptables -t mangle -A PREROUTING $SET_MARK_OUT + iptables -t mangle -A PREROUTING $SET_MARK_OUT iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ -d $OUT_NET -j NETMAP --to $SAME_NET iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT @@ -211,12 +198,11 @@ down-client:) # If you are doing a custom version, firewall commands go here. if [ -n "$PLUTO_MARK_IN" ] then - iptables -t mangle -D PREROUTING $SET_MARK_IN iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -d $IN_NET -j NETMAP --to $SAME_NET + -d $IN_NET -j NETMAP --to $SAME_NET iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \ - -s $SAME_NET -j NETMAP --to $OUT_NET + -s $SAME_NET -j NETMAP --to $OUT_NET fi if [ -n "$PLUTO_MARK_OUT" ] then diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6192e0918 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.4.0.0/14 + remote_ts = 10.0.0.0/14 + + mark_in = 8 + set_mark_in = %same + mark_out = 4 + + updown = /etc/mark_updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat similarity index 72% rename from testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat rename to testing/tests/ikev2/net2net-same-nets/posttest.dat index 5fca9501d..d68a2a991 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/posttest.dat +++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat @@ -1,6 +1,6 @@ sun::iptables -t mangle -n -v -L PREROUTING sun::iptables -t nat -n -v -L -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan +sun::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat new file mode 100644 index 000000000..828837dc0 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf rename to testing/tests/ikev2/net2net-same-nets/test.conf index f46f137b4..6fc02816b 100644 --- a/testing/tests/ikev2-stroke-bye/net2net-same-nets/test.conf +++ b/testing/tests/ikev2/net2net-same-nets/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun bob" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun bob" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt index 9c67ed605..f8a934000 100755 --- a/testing/tests/ikev2/net2net-start/description.txt +++ b/testing/tests/ikev2/net2net-start/description.txt @@ -1,6 +1,7 @@ A tunnel connecting the subnets behind the gateways moon and sun, respectively, is automatically established by means of the setting -auto=start in ipsec.conf. The connection is tested by client alice -behind gateway moon pinging the client bob located behind -gateway sun. The updown script automatically inserts iptables-based -firewall rules that let pass the tunneled traffic. +start_action = start in swanctl.conf. +

+The connection is tested by client alice behind gateway moon pinging +the client bob located behind gateway sun. The updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev2/ocsp-local-cert/description.txt b/testing/tests/ikev2/ocsp-local-cert/description.txt index a54bc6776..1f3b3c127 100644 --- a/testing/tests/ikev2/ocsp-local-cert/description.txt +++ b/testing/tests/ikev2/ocsp-local-cert/description.txt @@ -2,8 +2,8 @@ By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses a self-signed OCSP signer certificate that must be imported locally by the peers into the -/etc/swanctl/x509ocsp/ directory. A strongswan ca section in ipsec.conf -defines an OCSP URI pointing to winnetou. +/etc/swanctl/x509ocsp/ directory. A strongswan authorities section +in swanctl.conf defines an OCSP URI pointing to winnetou.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good. diff --git a/testing/tests/ikev2/protoport-trap/description.txt b/testing/tests/ikev2/protoport-trap/description.txt new file mode 100644 index 000000000..f264c02da --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/description.txt @@ -0,0 +1,9 @@ +Using [<protocol>/<port>] selectors in the +local_ts and remote_ts child parameters, two IPsec tunnels +between the roadwarrior carol and the gateway moon are defined. +The first CHILD_SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. +

+By sending a ping to the client alice behind moon, the ICMP trap +is triggered and the corresponding IPsec tunnel is set up. In the same +way an ssh session to alice over the second IPsec SA is established. \ No newline at end of file diff --git a/testing/tests/ikev2/protoport-trap/evaltest.dat b/testing/tests/ikev2/protoport-trap/evaltest.dat new file mode 100644 index 000000000..8c1b41859 --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::creating acquire job.*\[icmp/8]::YES +carol::cat /var/log/daemon.log::creating acquire job.*\[tcp/ssh]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf similarity index 59% rename from testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf index 93f434598..91e32f7ba 100644 --- a/testing/tests/ikev2-stroke-bye/inactivity-timeout/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-trap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-trap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..635ca0ed6 --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + icmp { + local_ts = dynamic[icmp] + remote_ts = 10.1.0.0/16[icmp] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + start_action = trap + } + ssh { + local_ts = dynamic[tcp] + remote_ts = 10.1.0.0/16[tcp/ssh] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + start_action = trap + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..91e32f7ba --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/protoport-trap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/protoport-trap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7851f43ec --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + icmp { + local_ts = 10.1.0.0/16[icmp] + remote_ts = dynamic[icmp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + ssh { + local_ts = 10.1.0.0/16[tcp/ssh] + remote_ts = dynamic[tcp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat b/testing/tests/ikev2/protoport-trap/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat rename to testing/tests/ikev2/protoport-trap/posttest.dat index 046d4cfdc..045db42a6 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-late/posttest.dat +++ b/testing/tests/ikev2/protoport-trap/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/protoport-trap/pretest.dat b/testing/tests/ikev2/protoport-trap/pretest.dat new file mode 100644 index 000000000..68298f5bc --- /dev/null +++ b/testing/tests/ikev2/protoport-trap/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection icmp +moon::expect-connection ssh +carol::expect-connection icmp +carol::expect-connection ssh +carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null +carol::ssh PH_IP_ALICE hostname + diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf b/testing/tests/ikev2/protoport-trap/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf rename to testing/tests/ikev2/protoport-trap/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/test.conf +++ b/testing/tests/ikev2/protoport-trap/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/description.txt b/testing/tests/ikev2/reauth-early/description.txt similarity index 61% rename from testing/tests/ikev2-stroke-bye/reauth-early/description.txt rename to testing/tests/ikev2/reauth-early/description.txt index 6b6e35045..84ef91b0f 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-early/description.txt +++ b/testing/tests/ikev2/reauth-early/description.txt @@ -1,7 +1,7 @@ This scenario tests repeated authentication according to RFC 4478. -The initiator carol sets a large ikelifetime=20m but the responder -moon defining a much shorter ikelifetime=30s proposes this -value via an AUTH_LIFETIME notification to the initiator. Thus the +The initiator carol sets a large reauth_time=60m but the responder +moon defining a much shorter reauth_time=30s proposes this +value via an AUTH_LIFETIME notification to the initiator. Thus the IKE reauthentication takes places after less than 30s. A ping from carol to client alice hiding in the subnet behind moon -tests if the CHILD_SA has been inherited by the new IKE_SA. +tests if the CHILD_SA has been recreated under the new IKE_SA. diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat new file mode 100644 index 000000000..bcc0e7d03 --- /dev/null +++ b/testing/tests/ikev2/reauth-early/evaltest.dat @@ -0,0 +1,6 @@ +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 20s::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2b2c98512 --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 60m + over_time = 10s + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..cd49a4b99 --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 30s + over_time = 10s + rand_time = 0 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat rename to testing/tests/ikev2/reauth-early/posttest.dat index 046d4cfdc..3c5a1219b 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-early/posttest.dat +++ b/testing/tests/ikev2/reauth-early/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat similarity index 54% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat rename to testing/tests/ikev2/reauth-early/pretest.dat index e34f70277..f77a60708 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/reauth-early/pretest.dat @@ -1,7 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home +carol::sleep 21 diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/test.conf b/testing/tests/ikev2/reauth-early/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/reauth-late/test.conf rename to testing/tests/ikev2/reauth-early/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-late/test.conf +++ b/testing/tests/ikev2/reauth-early/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/description.txt b/testing/tests/ikev2/reauth-late/description.txt similarity index 55% rename from testing/tests/ikev2-stroke-bye/reauth-late/description.txt rename to testing/tests/ikev2/reauth-late/description.txt index b4d717d6a..6d5ddc22e 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-late/description.txt +++ b/testing/tests/ikev2/reauth-late/description.txt @@ -1,8 +1,8 @@ This scenario tests repeated authentication according to RFC 4478. -The initiator carol sets a short ikelifetime=20m but the responder -moon defining a much larger ikelifetime=30s proposes this +The initiator carol sets a short reauth_time=20s but the responder +moon defining a much larger reauth_time=60m proposes this value via an AUTH_LIFETIME notification to the initiator. The initiator -ignores this notification and schedules the IKE reauthentication within -the shorter interval of 30s. A ping from carol to client alice +ignores this notification and schedules the IKE reauthentication at its +configured time. A ping from carol to client alice hiding in the subnet behind moon tests if the CHILD_SA has been -inherited by the new IKE_SA. +recreated under the new IKE_SA. diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat new file mode 100644 index 000000000..f6b7ea130 --- /dev/null +++ b/testing/tests/ikev2/reauth-late/evaltest.dat @@ -0,0 +1,7 @@ +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +carol::cat /var/log/daemon.log::scheduling reauthentication in 20s::YES +carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 20s::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..646468dc3 --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 20s + over_time = 10s + rand_time = 0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0041568d2 --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 60m + over_time = 10s + rand_time = 0 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat rename to testing/tests/ikev2/reauth-late/posttest.dat index 046d4cfdc..3c5a1219b 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/posttest.dat +++ b/testing/tests/ikev2/reauth-late/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat similarity index 54% rename from testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat rename to testing/tests/ikev2/reauth-late/pretest.dat index 656de7450..f77a60708 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-late/pretest.dat +++ b/testing/tests/ikev2/reauth-late/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home -carol::sleep 30 +carol::swanctl --initiate --child home +carol::sleep 21 diff --git a/testing/tests/ikev2-stroke-bye/protoport-route/test.conf b/testing/tests/ikev2/reauth-late/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/protoport-route/test.conf rename to testing/tests/ikev2/reauth-late/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/ikev2-stroke-bye/protoport-route/test.conf +++ b/testing/tests/ikev2/reauth-late/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt b/testing/tests/ikev2/reauth-mbb-revoked/description.txt similarity index 74% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt rename to testing/tests/ikev2/reauth-mbb-revoked/description.txt index 4e27a0b82..8c0be18ec 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/description.txt +++ b/testing/tests/ikev2/reauth-mbb-revoked/description.txt @@ -1,10 +1,7 @@ This scenario tests make-before-break reauthentication using overlapping IKE_SAs by setting the make_before_break strongswan.conf option. The -initiator carol reauthenticates the IKE_SA with host moon using -ikelifetime=10s, but does not close the old IKE_SA before the replacement -CHILD_SA is in place. A constant ping from carol to client alice -hiding in the subnet behind moon tests if the CHILD_SA works during the -whole procedure. +initiator carol reauthenticates the IKE_SA with host moon, but does +not close the old IKE_SA before the replacement CHILD_SA is in place.

Because the responder is always able to install CHILD_SAs before the initiator is, some traffic sent by the responder over such a CHILD_SA might get dropped by diff --git a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat new file mode 100644 index 000000000..692bdbc5c --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat @@ -0,0 +1,10 @@ +winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak +winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl +carol::swanctl --flush-certs --type x509_crl +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +carol::sleep 6 +carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES +carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::NO diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9d34c9afd --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1bc939f74 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 5s + over_time = 5s + rand_time = 0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b415e075c --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d4fb48843 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat similarity index 50% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat rename to testing/tests/ikev2/reauth-mbb-revoked/posttest.dat index d0d591585..3965fddfb 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb-revoked/posttest.dat +++ b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat @@ -1,3 +1,3 @@ winnetou::cp /var/www/strongswan.crl.bak /var/www/strongswan.crl -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan diff --git a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat new file mode 100644 index 000000000..1cf07245b --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/test.conf b/testing/tests/ikev2/reauth-mbb-revoked/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/reauth-early/test.conf rename to testing/tests/ikev2/reauth-mbb-revoked/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-early/test.conf +++ b/testing/tests/ikev2/reauth-mbb-revoked/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/reauth-mbb-virtual-ip/description.txt rename to testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat new file mode 100644 index 000000000..2bd668e26 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat @@ -0,0 +1,9 @@ +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::NO +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::NO +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9d34c9afd --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..774dfee5f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + vips = 0.0.0.0 + + # short lifetimes for testing purposes + reauth_time = 5s + over_time = 5s + rand_time = 0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b415e075c --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..29fded2e6 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + pools = rw + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw { + addrs = 10.3.0.0/24 + } +} diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat rename to testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat index 046d4cfdc..3c5a1219b 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/posttest.dat +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan +carol::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat similarity index 55% rename from testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat rename to testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat index 656de7450..234dc8d28 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-early/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat @@ -1,8 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home -carol::sleep 30 +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf new file mode 100644 index 000000000..307c7e9cc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt similarity index 64% rename from testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt rename to testing/tests/ikev2/reauth-mbb/description.txt index ab92d7df8..b9ef1a24e 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/description.txt +++ b/testing/tests/ikev2/reauth-mbb/description.txt @@ -1,7 +1,7 @@ This scenario tests make-before-break reauthentication using overlapping IKE_SAs by setting the make_before_break strongswan.conf option. The -initiator carol reauthenticates the IKE_SA with host moon using -ikelifetime=10s, but does not close the old IKE_SA before the replacement -CHILD_SA is in place. A constant ping from carol to client alice +initiator carol reauthenticates the IKE_SA with host moon, but does +not close the old IKE_SA before the replacement CHILD_SA is in place. +A constant ping from carol to client alice hiding in the subnet behind moon tests if the CHILD_SA works during the whole procedure. diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat new file mode 100644 index 000000000..01cf727b1 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat @@ -0,0 +1,9 @@ +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::NO +carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::NO +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9d34c9afd --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..23639cf19 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + # short lifetimes for testing purposes + reauth_time = 5s + over_time = 5s + rand_time = 0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b415e075c --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7395a663c --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat new file mode 100644 index 000000000..3c5a1219b --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/posttest.dat @@ -0,0 +1,4 @@ +moon::systemctl stop strongswan +carol::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat similarity index 55% rename from testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat rename to testing/tests/ikev2/reauth-mbb/pretest.dat index e34f70277..234dc8d28 100644 --- a/testing/tests/ikev2-stroke-bye/reauth-mbb/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf new file mode 100644 index 000000000..307c7e9cc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf index 7aceb6913..9f03783fb 100755 --- a/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf @@ -25,11 +25,3 @@ connections { proposals = aes128-sha256-x25519 } } - -secrets { - - rsa-carol { - file = carolKey.pem - secret = "nH5ZQEWtku0RJEZ6" - } -} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt b/testing/tests/ikev2/rw-eap-dynamic/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-dynamic/description.txt rename to testing/tests/ikev2/rw-eap-dynamic/description.txt diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat new file mode 100644 index 000000000..2811eb163 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat @@ -0,0 +1,19 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7b350eb3e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..da4d5f2be --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-md5 + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..9ac8c3052 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 mgf1 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f14b57944 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aba0ac615 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 mgf1 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown + + plugins { + eap-dynamic { + prefer_user = yes + preferred = md5, tls + } + } +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6507c4661 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-dynamic + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/ikev2-stroke-bye/forecast/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/forecast/posttest.dat rename to testing/tests/ikev2/rw-eap-dynamic/posttest.dat index 1865a1c60..e5c82ef20 100644 --- a/testing/tests/ikev2-stroke-bye/forecast/posttest.dat +++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat new file mode 100644 index 000000000..3684c2486 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf rename to testing/tests/ikev2/rw-eap-dynamic/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-mixed/test.conf +++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/description.txt rename to testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat new file mode 100644 index 000000000..8d1da37f9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat @@ -0,0 +1,22 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES +dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES +dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..cb7743f82 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6dda22241 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = eap + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1c083931a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c8d5314e1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = eap + eap_id = dave + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave + secret = W7R0g3do + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf similarity index 52% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf index 1479e3004..fa363c345 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf @@ -1,11 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown plugins { eap-radius { - class_group = yes secret = gv6URkSs server = PH_IP_ALICE } diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f31152a08 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + pools = radius + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = %any + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat similarity index 62% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat rename to testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat index a6619d02b..a3aff64c3 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat new file mode 100644 index 000000000..6363fcb59 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf similarity index 80% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf rename to testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf index 5dfb41723..0e5512b65 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice venus moon carol winnetou moon" +VIRTHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # -DIAGRAM="a-v-m-c-w-d.png" +DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/description.txt rename to testing/tests/ikev2/rw-eap-md5-class-radius/description.txt diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat new file mode 100644 index 000000000..22a553305 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat @@ -0,0 +1,22 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES +dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d2cc789b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6c80bb767 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d2cc789b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bcd71006 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = dave + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave + secret = W7R0g3do + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf similarity index 55% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf index 1479e3004..74223725a 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7f02b4266 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,54 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + eap_id = %any + groups = Research + } + children { + alice { + local_ts = 10.1.0.10/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } + + accounting { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + eap_id = %any + groups = Accounting + } + children { + venus { + local_ts = 10.1.0.20/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat similarity index 62% rename from testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat rename to testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat index a6619d02b..a3aff64c3 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-framed-ip-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat new file mode 100644 index 000000000..766f64a27 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +moon::expect-connection accounting +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf similarity index 80% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf rename to testing/tests/ikev2/rw-eap-md5-class-radius/test.conf index 5dfb41723..0e5512b65 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-class-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice venus moon carol winnetou moon" +VIRTHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # -DIAGRAM="a-v-m-c-w-d.png" +DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt similarity index 59% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt rename to testing/tests/ikev2/rw-eap-tls-fragments/description.txt index f6a5f1c7b..b3e0450a4 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/description.txt +++ b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt @@ -1,5 +1,4 @@ The roadwarrior carol sets up a connection to gateway moon. The strong mutual authentication of both peers is based on EAP-TLS only (without a separate IKEv2 authentication), using TLS client and server certificates, -respectively. Large certificates and a multi-level trust hierarchy with a path length -of 3 force a fragmentation of the TLS handshake message into two TLS records. +respectively. diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat new file mode 100644 index 000000000..fb19cd7c2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat @@ -0,0 +1,9 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=carol@d.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.d.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.d.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=carol@d.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52959dadc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-tls { + max_message_count = 40 + } + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/rsa/carol_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/rsa/carol_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6cfb42e29 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = carol_D_cert.der + } + remote { + auth = eap-tls + id = "C=CH, O=strongSwan Project, CN=moon.d.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509/carol_D_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509/carol_D_cert.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509ca/ca_A_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/swanctl/x509ca/ca_A_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3f6f8e801 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -0,0 +1,25 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-tls { + max_message_count = 40 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_A_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_A_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_B_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_B_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_C_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_C_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_D_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/ca_D_key.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/moon_key.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/rsa/moon_key.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e8e186b91 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = moon_D_cert.der + } + remote { + auth = eap-tls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509/moon_D_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509/moon_D_cert.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_A_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_A_cert.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_B_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_B_cert.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_C_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_C_cert.der diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_D_cert.der similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der rename to testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/swanctl/x509ca/ca_D_cert.der diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat new file mode 100644 index 000000000..d2b81be43 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat new file mode 100644 index 000000000..8baac0d9b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat @@ -0,0 +1,9 @@ +moon::cd /etc/swanctl; rm rsa/moonKey.pem rm x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem x509ca/strongswanCert.pem +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf similarity index 90% rename from testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf rename to testing/tests/ikev2/rw-eap-tls-fragments/test.conf index e093d43d8..97b89cb61 100644 --- a/testing/tests/ikev2-stroke-bye/rw-eap-md5-id-prompt/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt new file mode 100644 index 000000000..103df9742 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/description.txt @@ -0,0 +1,13 @@ +The roadwarriors alice and venus sitting behind the router moon set up +tunnels to gateway sun. Since both roadwarriors possess the same 10.1.0.0/25 subnet, +gateway sun uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 +and 10.3.0.20, respectively. +

+In order to differentiate between the tunnels to alice and venus, respectively, +XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using +the mark_in and mark_out options. With the set_mark_in option, the +corresponding mark is applied to the inbound packets after decryption. Return traffic is +marked via iptables -t mangle rules in the PREROUTING chain. +

+In order to test the tunnel, the hosts alice and venus ping the client +bob behind the gateway sun. diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat new file mode 100644 index 000000000..8fe23f3f1 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat @@ -0,0 +1,14 @@ +alice::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_ALICE.*remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*mark-in=0000000a mark-out=0000000b encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_VENUS.*remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=home.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*mark-in=00000014 mark-out=00000015 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..84c0836ae --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + home { + local_ts = 10.1.0.0/25 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf similarity index 72% rename from testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf index 9691dd22f..1d8cb3524 100644 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown syslog { daemon { knl = 2 diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e5001f052 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,52 @@ +connections { + + alice : connections.home { + remote { + id = alice@strongswan.org + } + children { + home { + mark_in = 10/0xffffffff + set_mark_in = %same + mark_out = 11/0xffffffff + } + } + } + + venus : connections.home { + remote { + id = venus.strongswan.org + } + children { + home { + mark_in = 20 # 0xffffffff is used by default + set_mark_in = %same + mark_out = 21 # 0xffffffff is used by default + } + } + } + + home { + local_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + home { + local_ts = 10.2.0.0/16 + remote_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ce6973875 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + home { + local_ts = 10.1.0.0/25 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + hostaccess = yes + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat similarity index 60% rename from testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat rename to testing/tests/ikev2/rw-mark-in-out/posttest.dat index 407427a0d..a63a95295 100644 --- a/testing/tests/ikev2-stroke-bye/rw-mark-in-out/posttest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat @@ -1,10 +1,9 @@ sun::iptables -t mangle -v -n -L PREROUTING -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +sun::systemctl stop strongswan +alice::systemctl stop strongswan +venus::systemctl stop strongswan alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON -sun::rm /etc/mark_updown -moon::iptables -t nat -F +winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat new file mode 100644 index 000000000..97e99dee8 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -0,0 +1,20 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON +# NAT client traffic to distinct virtual IPs +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +# mark the return traffic accordingly +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 +sun::systemctl start strongswan +alice::systemctl start strongswan +venus::systemctl start strongswan +sun::expect-connection alice +alice::expect-connection home +alice::swanctl --initiate --child home +sun::expect-connection venus +venus::expect-connection home +venus::swanctl --initiate --child home diff --git a/testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf rename to testing/tests/ikev2/rw-mark-in-out/test.conf index 105472cbe..295a081b8 100644 --- a/testing/tests/ikev2-stroke-bye/nat-rw-mark/test.conf +++ b/testing/tests/ikev2/rw-mark-in-out/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon bob" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-ntru-psk/description.txt b/testing/tests/ikev2/rw-ntru-psk/description.txt new file mode 100755 index 000000000..10181239c --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and +192 bit for carol and dave, respectively. Authentication is based on strong +preshared keys (PSKs). +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the vips = 0.0.0.0 parameter. The gateway moon assigns virtual +IP addresses from a simple pool in a monotonously increasing order. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-ntru-psk/evaltest.dat b/testing/tests/ikev2/rw-ntru-psk/evaltest.dat new file mode 100755 index 000000000..82a540a98 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..f46739b29 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown + send_vendor_id = yes +} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..249872710 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ntru128 + } + } + version = 2 + proposals = aes128-sha256-ntru128 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..f46739b29 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown + send_vendor_id = yes +} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..28cd31915 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm128-ntru192 + } + } + version = 2 + proposals = aes192-sha384-ntru192 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..f46739b29 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown + send_vendor_id = yes +} diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2307b6baa --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,43 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ntru128,aes192gcm128-ntru192 + } + } + version = 2 + proposals = aes128-sha256-ntru128,aes192-sha384-ntru192 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/ikev2/rw-ntru-psk/posttest.dat b/testing/tests/ikev2/rw-ntru-psk/posttest.dat new file mode 100755 index 000000000..e5c82ef20 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2/rw-ntru-psk/pretest.dat new file mode 100755 index 000000000..12ad60eb8 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-psk/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/lookip/test.conf b/testing/tests/ikev2/rw-ntru-psk/test.conf old mode 100644 new mode 100755 similarity index 91% rename from testing/tests/ikev2-stroke-bye/lookip/test.conf rename to testing/tests/ikev2/rw-ntru-psk/test.conf index 164b07ff9..a542d037e --- a/testing/tests/ikev2-stroke-bye/lookip/test.conf +++ b/testing/tests/ikev2/rw-ntru-psk/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-no-idr/description.txt b/testing/tests/ikev2/rw-psk-no-idr/description.txt new file mode 100755 index 000000000..b0b7d0240 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and fully qualified domain names. By setting the wildcard remote.id=@*.strongswan.org +on carol and dave, no IDr payloads are sent by the roadwarriors. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the +client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat new file mode 100755 index 000000000..fe694ac96 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat @@ -0,0 +1,12 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave ::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon ::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon ::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon ::cat /var/log/daemon.log::looking for peer configs matching 192.168.0.1\[%any]...192.168.0.100\[carol@strongswan.org] +moon ::cat /var/log/daemon.log::looking for peer configs matching 192.168.0.1\[%any]...192.168.0.200\[dave@strongswan.org] +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..dcef959ef --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3d52d8c47 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = *.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..dcef959ef --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..645b0e904 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = psk + id = *.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..dcef959ef --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..109417276 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat new file mode 100755 index 000000000..e5c82ef20 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat new file mode 100755 index 000000000..12ad60eb8 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf old mode 100644 new mode 100755 similarity index 91% rename from testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf rename to testing/tests/ikev2/rw-psk-no-idr/test.conf index f29298850..1227b9d1c --- a/testing/tests/ikev2-stroke-bye/rw-psk-rsa-split/test.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt new file mode 100755 index 000000000..5f318787f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave each set up a connection to gateway moon. +carol's authentication is based on a Pre-Shared Key (PSK) whereas dave's +is based on an Public key signature (Pubkey). Gateway moon supports both +authentication modes and selects the correct roadwarrior connection definition based on the +gateway ID requested by the roadwarrior. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat new file mode 100755 index 000000000..5314e645a --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-psk.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-pubkey.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with pre-shared key successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..dcef959ef --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c5dc40bea --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 51% rename from testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf index 82118b410..b00191ead --- a/testing/tests/ikev2-stroke-bye/crl-from-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default - - cache_crls = yes +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bdebdc03e --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 50% rename from testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf index d4085e6a4..b00191ead --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default - multiple_authentication = no +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..571483558 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,55 @@ +connections { + + rw-psk { + local_addrs = 192.168.0.1 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + +rw-pubkey { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat new file mode 100755 index 000000000..eb2100856 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat new file mode 100755 index 000000000..af3d1b609 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw-psk +moon::expect-connection rw-pubkey +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-psk-rsa-split/description.txt b/testing/tests/ikev2/rw-psk-rsa-split/description.txt new file mode 100755 index 000000000..f2f382e32 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The roadwarriors' authentication is based on +Pre-Shared Keys (PSK) whereas the gateway uses an Public key signature +(Pubkey) certified by an X.509 certificate. +

+Upon the successful establishment of the IPsec tunnels, the updown-script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat new file mode 100755 index 000000000..021ee5fd1 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES \ No newline at end of file diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 50% rename from testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index d4085e6a4..b00191ead --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default - multiple_authentication = no +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..682022785 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf old mode 100644 new mode 100755 similarity index 50% rename from testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf rename to testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index d4085e6a4..b00191ead --- a/testing/tests/ikev2-stroke-bye/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default - multiple_authentication = no +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bf8059018 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..b00191ead --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random openssl +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..46f74393b --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + send_certreq = no + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat new file mode 100755 index 000000000..eb2100856 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat new file mode 100755 index 000000000..a5edcdffb --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat b/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat index 2ea5b8665..0bbde3805 100755 --- a/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat +++ b/testing/tests/ikev2/rw-pubkey-keyid/posttest.dat @@ -1,5 +1,3 @@ -carol::swanctl --terminate --ike home -dave::swanctl --terminate --ike home carol::systemctl stop strongswan dave::systemctl stop strongswan moon::systemctl stop strongswan diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt b/testing/tests/ikev2/rw-radius-accounting/description.txt similarity index 82% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt rename to testing/tests/ikev2/rw-radius-accounting/description.txt index 6d0224cdc..858166f76 100644 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/description.txt +++ b/testing/tests/ikev2/rw-radius-accounting/description.txt @@ -6,8 +6,6 @@ in association with an MD5 challenge and response protocol (EAP-MD5) to authenticate against the gateway moon. In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity carol. -The user password is kept in ipsec.secrets on the client carol -and the gateway forwards all EAP messages to the RADIUS server alice.

Since RADIUS accounting is enabled in strongswan.conf, gateway moon sends user name, connection time and data volume information to the diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat new file mode 100644 index 000000000..0312008c6 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES +carol::swanctl --terminate --ike home 2> /dev/null::no output expected::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/alice/etc/freeradius/users rename to testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d2cc789b3 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..590a2b7cf --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules similarity index 100% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/hosts/moon/etc/iptables.rules rename to testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a37b5274b --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + accounting = yes + } + } +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9a59fc15e --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat similarity index 72% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat rename to testing/tests/ikev2/rw-radius-accounting/posttest.dat index 66416eb28..4ec1b49a6 100644 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/posttest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat @@ -1,6 +1,6 @@ -carol::ipsec stop -moon::ipsec stop +carol::systemctl stop strongswan +moon::systemctl stop strongswan alice::killall freeradius alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/* -carol::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat similarity index 58% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat rename to testing/tests/ikev2/rw-radius-accounting/pretest.dat index d3c345200..a7408ceee 100644 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -1,9 +1,10 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* alice::freeradius -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan +carol::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf similarity index 82% rename from testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf rename to testing/tests/ikev2/rw-radius-accounting/test.conf index 6dbb1c7fd..0d9e9f3d4 100644 --- a/testing/tests/ikev2-stroke-bye/rw-radius-accounting/test.conf +++ b/testing/tests/ikev2/rw-radius-accounting/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c.png" # Guest instances on which tcpdump is to be started # @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt old mode 100644 new mode 100755 similarity index 66% rename from testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt rename to testing/tests/ikev2/rw-sig-auth/description.txt index 569d7e054..6384f16ab --- a/testing/tests/ikev2-stroke-bye/rw-sig-auth/description.txt +++ b/testing/tests/ikev2/rw-sig-auth/description.txt @@ -2,9 +2,11 @@ The roadwarriors carol an dave set up a connection to gateway moon. They authenticate themselves using RSA signatures but they use different hash algorithms. moon uses signature scheme constraints to only allow access to the research and accounting subnets if -specific algorithms are used. Note: Because the client certificate's are signed -with SHA-256 we have to accept that algorithm too because signature schemes in -rightauth are also used as constraints for the whole certificate chain. +specific algorithms are used. +

+Note: Because the client certificate's are signedwith SHA-256 we have to +accept that algorithm too because signature schemes in rightauth are also +used as constraints for the whole certificate chain. Therefore, carol obtains access to the research subnet behind gateway moon whereas dave has access to the accounting subnet, but not vice-versa. diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat new file mode 100755 index 000000000..0004f434f --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat @@ -0,0 +1,16 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice-net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus-net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..8f8fbdfa7 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b6894cd43 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey-sha384 + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..8f8fbdfa7 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..52d10418a --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey-sha512 + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..8f8fbdfa7 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..439d41d80 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey-sha384-sha256 + } + children { + alice-net { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + accounting { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey-sha512-sha256 + } + children { + venus-net { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat new file mode 100755 index 000000000..e5c82ef20 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat new file mode 100755 index 000000000..4f837bf9c --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +moon::expect-connection accounting +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2/rw-whitelist/description.txt new file mode 100755 index 000000000..f2c777617 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +moon uses whitelisting to grant access to carol with ID carol@strongswan.org +whereas since ID dave@strongswan.org is not listed, dave gets rejected. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol can successfully ping +the client alice behind the gateway moon whereas dave fails. diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat new file mode 100755 index 000000000..01f44692f --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -0,0 +1,14 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::NO +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::NO +moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::NO +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..d7e0cab5a --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9f03783fb --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha512 + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..d7e0cab5a --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4c7c177ed --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha384 + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..262709ac4 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints whitelist pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + plugins { + whitelist { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4ba02ad6c --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat new file mode 100755 index 000000000..e5c82ef20 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat old mode 100644 new mode 100755 similarity index 67% rename from testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat rename to testing/tests/ikev2/rw-whitelist/pretest.dat index 0f246a8a4..f34637a78 --- a/testing/tests/ikev2-stroke-bye/rw-whitelist/pretest.dat +++ b/testing/tests/ikev2/rw-whitelist/pretest.dat @@ -1,17 +1,16 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -carol::ipsec start -dave::ipsec start -moon::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan moon::ipsec whitelist add alice@strongswan.org moon::ipsec whitelist add bob@strongswan.org moon::ipsec whitelist add carol@strongswan.org moon::ipsec whitelist enable moon::ipsec whitelist list +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home -carol::sleep 1 +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/trap-any/description.txt b/testing/tests/ikev2/trap-any/description.txt similarity index 53% rename from testing/tests/ikev2-stroke-bye/trap-any/description.txt rename to testing/tests/ikev2/trap-any/description.txt index 81e148259..2b768548e 100644 --- a/testing/tests/ikev2-stroke-bye/trap-any/description.txt +++ b/testing/tests/ikev2/trap-any/description.txt @@ -1,7 +1,8 @@ The hosts moon, sun and dave install transport-mode trap -policies with right=%any. The remote host is dynamically determined based on -the acquires received from the kernel. Host dave additionally limits the remote -hosts to moon and sun with rightsubnet. This is tested by +policies with remote_addrs=%any. The remote host is dynamically determined +based on the acquires received from the kernel. Host dave additionally limits +the remote hosts to moon and sun with remote_ts. This is tested by pinging sun and carol from moon, carol from sun, and sun and moon from dave. The latter also pings carol, which -is not going to be encrypted as carol is not part of the configured rightsubnet. +is not going to be encrypted as carol is not part of the configured +remote_ts. diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat new file mode 100644 index 000000000..d87da0d98 --- /dev/null +++ b/testing/tests/ikev2/trap-any/evaltest.dat @@ -0,0 +1,29 @@ +moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES +moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES +sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES +dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=2::YES +dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES +dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_SUN/32]::YES +moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_CAROL.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_CAROL/32]::YES +moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_DAVE.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_DAVE/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_DAVE.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_DAVE/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_CAROL.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_CAROL/32]::YES +dave::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_DAVE.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_DAVE/32] remote-ts=\[PH_IP_MOON/32]::YES +dave::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_DAVE.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_DAVE/32] remote-ts=\[PH_IP_SUN/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_CAROL/32] remote-ts=\[PH_IP_MOON/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_CAROL/32] remote-ts=\[PH_IP_SUN/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_DAVE::NO +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES +sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES +carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES +carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..4fe92b6ec --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b908d6f93 --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + trap-any { + remote_addrs = %any + + local { + auth = psk + } + remote { + auth = psk + } + children { + trap-any { + mode = transport + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..4fe92b6ec --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f34c927c4 --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + trap-any { + remote_addrs = %any + + local { + auth = psk + } + remote { + auth = psk + } + children { + trap-any { + remote_ts = 192.168.0.0/30 + mode = transport + start_action = trap + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4fe92b6ec --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6a69bac6c --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + trap-any { + remote_addrs = %any + + local { + auth = psk + } + remote { + auth = psk + } + children { + trap-any { + mode = transport + start_action = trap + } + } + } + + # to access the host via SSH in the test environment + pass { + remote_addrs = 127.0.0.1 + + children { + pass-ssh { + local_ts = 0.0.0.0/0[tcp/22] + remote_ts = 0.0.0.0/0[tcp] + mode = pass + start_action = trap + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..4fe92b6ec --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6a69bac6c --- /dev/null +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + trap-any { + remote_addrs = %any + + local { + auth = psk + } + remote { + auth = psk + } + children { + trap-any { + mode = transport + start_action = trap + } + } + } + + # to access the host via SSH in the test environment + pass { + remote_addrs = 127.0.0.1 + + children { + pass-ssh { + local_ts = 0.0.0.0/0[tcp/22] + remote_ts = 0.0.0.0/0[tcp] + mode = pass + start_action = trap + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2/trap-any/posttest.dat new file mode 100644 index 000000000..92f4692ca --- /dev/null +++ b/testing/tests/ikev2/trap-any/posttest.dat @@ -0,0 +1,4 @@ +moon::systemctl stop strongswan +sun::systemctl stop strongswan +carol::systemctl stop strongswan +dave::systemctl stop strongswan diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2/trap-any/pretest.dat new file mode 100644 index 000000000..96500b440 --- /dev/null +++ b/testing/tests/ikev2/trap-any/pretest.dat @@ -0,0 +1,5 @@ +moon::systemctl start strongswan +sun::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::sleep 1 diff --git a/testing/tests/ikev2-stroke-bye/trap-any/test.conf b/testing/tests/ikev2/trap-any/test.conf similarity index 91% rename from testing/tests/ikev2-stroke-bye/trap-any/test.conf rename to testing/tests/ikev2/trap-any/test.conf index 742bf02bd..7273cbd56 100644 --- a/testing/tests/ikev2-stroke-bye/trap-any/test.conf +++ b/testing/tests/ikev2/trap-any/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun carol" # Used for IPsec logging purposes # IPSECHOSTS="moon sun carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev2-stroke-bye/wildcards/description.txt b/testing/tests/ikev2/wildcards/description.txt old mode 100644 new mode 100755 similarity index 100% rename from testing/tests/ikev2-stroke-bye/wildcards/description.txt rename to testing/tests/ikev2/wildcards/description.txt diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2/wildcards/evaltest.dat new file mode 100755 index 000000000..55850cb57 --- /dev/null +++ b/testing/tests/ikev2/wildcards/evaltest.dat @@ -0,0 +1,8 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice-net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus-net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +moon ::cat /var/log/daemon.log::CHILD_SA alice-net.*established.*TS 10.1.0.10/32 === 192.168.0.100/32 +moon ::cat /var/log/daemon.log::CHILD_SA venus-net.*established.*TS 10.1.0.20/32 === 192.168.0.200/32 +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES +moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ed878cfe5 --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..434c812c3 --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..ed878cfe5 --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici +} diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a91fd9205 --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128gcm128-x25519 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..b415e075c --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f3a2db49d --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,45 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = "C=CH, O=strongSwan Project, OU=Research, CN=*" + } + children { + alice-net { + local_ts = 10.1.0.0/28 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + accounting { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + venus-net { + local_ts = 10.1.0.16/28 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ikev2/wildcards/posttest.dat b/testing/tests/ikev2/wildcards/posttest.dat new file mode 100755 index 000000000..2a7f84c77 --- /dev/null +++ b/testing/tests/ikev2/wildcards/posttest.dat @@ -0,0 +1,3 @@ +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat new file mode 100755 index 000000000..02acbb25c --- /dev/null +++ b/testing/tests/ikev2/wildcards/pretest.dat @@ -0,0 +1,11 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +oon::expect-connection research +moon::expect-connection accounting +carol::expect-connection home +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/ikev2/wildcards/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1