ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

testing: Update description and test evaluation of host2host-transport-nat 

As we now reuse the reqid for identical SAs, the behavior changes for
transport connections to multiple peers behind the same NAT. Instead of
rejecting the SA, we now have two valid SAs active. For the reverse path,
however, sun sends traffic always over the newer SA, resembling the behavior
before we introduced explicit SA conflicts for different reqids.
This commit is contained in:
Martin Willi 2014-11-12 16:52:52 +01:00
parent 050556bf59
commit f27fb58ae0
3 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
testing/tests/ikev2/host2host-transport-nat/description.txt
View File

@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host
dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
in <em>/proc/net/xfrm_stat</em>).</li>
<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from
<b>venus</b> to send traffic to the common transport mode address.</li>
</ol>

13
testing/tests/ikev2/host2host-transport-nat/evaltest.dat
View File

@ -1,12 +1,9 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
sun::cat /var/log/daemon.log::unable to install policy::YES
alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO

1
testing/tests/ikev2/host2host-transport-nat/pretest.dat
View File

@ -10,3 +10,4 @@ sun::ipsec start
alice::expect-connection nat-t
venus::expect-connection nat-t
alice::ipsec up nat-t
venus::ipsec up nat-t