mirror of
https://github.com/strongswan/strongswan.git
synced 2025-12-08 00:00:29 -05:00
added multi-level-ca-loop scenario
This commit is contained in:
Andreas Steffen
parent
35d4809c3e
commit
51a9174071
6
testing/tests/ikev2/multi-level-ca-loop/description.txt
Normal file
6
testing/tests/ikev2/multi-level-ca-loop/description.txt
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
The roadwarrior <b>carol</b>, possessing a certificate issued by the
|
||||||
|
Research CA, tries to set up a tunnel to gateway <b>moon</b>.
|
||||||
|
The Research CA's certificate is signed by the Sales CA and
|
||||||
|
the Sales CA's certificate in turn is signed by the Research CA.
|
||||||
|
This leads to an endless trust path loop but which is aborted by
|
||||||
|
<b>moon</b> when the path level reaches a depth of 7 iterations.
|
||||||
4
testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
Normal file
4
testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
moon::cat /var/log/daemon.log::maximum ca path length of 7 levels exceeded::YES
|
||||||
|
moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
|
||||||
|
carol::ipsec status::alice.*INSTALLED::NO
|
||||||
|
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
|
||||||
23
testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
Executable file
23
testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
Executable file
@ -0,0 +1,23 @@
|
|||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=yes
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
left=PH_IP_CAROL
|
||||||
|
leftnexthop=%direct
|
||||||
|
leftcert=carolCert.pem
|
||||||
|
right=PH_IP_MOON
|
||||||
|
rightid=@moon.strongswan.org
|
||||||
|
rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
|
||||||
|
|
||||||
|
conn alice
|
||||||
|
rightsubnet=PH_IP_ALICE/32
|
||||||
|
auto=add
|
||||||
@ -0,0 +1,25 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
|
||||||
|
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
|
||||||
|
BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
|
||||||
|
M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
|
||||||
|
BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
|
||||||
|
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
|
||||||
|
dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
|
||||||
|
dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
|
||||||
|
57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
|
||||||
|
5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
|
||||||
|
hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
|
||||||
|
AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
|
||||||
|
qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
|
||||||
|
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
|
||||||
|
YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
|
||||||
|
YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
|
||||||
|
LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
|
||||||
|
FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
|
||||||
|
Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
|
||||||
|
7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
|
||||||
|
+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
|
||||||
|
wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
|
||||||
|
MWjwPJs52qVJ3Ph++EF6bw==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
|
||||||
|
65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
|
||||||
|
8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
|
||||||
|
VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
|
||||||
|
hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
|
||||||
|
y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
|
||||||
|
0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
|
||||||
|
FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
|
||||||
|
gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
|
||||||
|
PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
|
||||||
|
nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
|
||||||
|
U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
|
||||||
|
mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
|
||||||
|
MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
|
||||||
|
UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
|
||||||
|
G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
|
||||||
|
Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
|
||||||
|
hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
|
||||||
|
PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
|
||||||
|
tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
|
||||||
|
s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
|
||||||
|
uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
|
||||||
|
ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
|
||||||
|
LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
|
||||||
|
Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
@ -0,0 +1,3 @@
|
|||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
: RSA carolKey.pem
|
||||||
23
testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
Executable file
23
testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
Executable file
@ -0,0 +1,23 @@
|
|||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=yes
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
left=PH_IP_MOON
|
||||||
|
leftnexthop=%direct
|
||||||
|
leftcert=moonCert.pem
|
||||||
|
leftid=@moon.strongswan.org
|
||||||
|
|
||||||
|
conn alice
|
||||||
|
leftsubnet=PH_IP_ALICE/32
|
||||||
|
right=%any
|
||||||
|
rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
|
||||||
|
auto=add
|
||||||
@ -0,0 +1,24 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
|
||||||
|
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
|
||||||
|
BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
|
||||||
|
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
|
||||||
|
CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
|
||||||
|
BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
|
||||||
|
rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
|
||||||
|
BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
|
||||||
|
4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
|
||||||
|
m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
|
||||||
|
/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
|
||||||
|
HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
|
||||||
|
x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
|
||||||
|
CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
|
||||||
|
ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
|
||||||
|
L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
|
||||||
|
AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
|
||||||
|
Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
|
||||||
|
Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
|
||||||
|
pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
|
||||||
|
rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
|
||||||
|
uaJ2yDwEhOHn3ihb1bqlanM=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@ -0,0 +1,24 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
|
||||||
|
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
|
||||||
|
BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
|
||||||
|
MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
|
||||||
|
BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
|
||||||
|
BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
|
||||||
|
/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
|
||||||
|
4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
|
||||||
|
XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
|
||||||
|
kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
|
||||||
|
gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
|
||||||
|
HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
|
||||||
|
p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
|
||||||
|
CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
|
||||||
|
ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
|
||||||
|
L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
|
||||||
|
ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
|
||||||
|
clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
|
||||||
|
b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
|
||||||
|
koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
|
||||||
|
Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
|
||||||
|
/szZoxwnE2iHtIoMAhfHZpRvOkg=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
4
testing/tests/ikev2/multi-level-ca-loop/posttest.dat
Normal file
4
testing/tests/ikev2/multi-level-ca-loop/posttest.dat
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
moon::ipsec stop
|
||||||
|
carol::ipsec stop
|
||||||
|
moon::rm /etc/ipsec.d/cacerts/*
|
||||||
|
|
||||||
6
testing/tests/ikev2/multi-level-ca-loop/pretest.dat
Normal file
6
testing/tests/ikev2/multi-level-ca-loop/pretest.dat
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||||
|
carol::ipsec start
|
||||||
|
moon::ipsec start
|
||||||
|
carol::sleep 2
|
||||||
|
carol::ipsec up alice
|
||||||
21
testing/tests/ikev2/multi-level-ca-loop/test.conf
Normal file
21
testing/tests/ikev2/multi-level-ca-loop/test.conf
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This configuration file provides information on the
|
||||||
|
# UML instances used for this test
|
||||||
|
|
||||||
|
# All UML instances that are required for this test
|
||||||
|
#
|
||||||
|
UMLHOSTS="alice moon carol winnetou dave"
|
||||||
|
|
||||||
|
# Corresponding block diagram
|
||||||
|
#
|
||||||
|
DIAGRAM="a-m-c-w.png"
|
||||||
|
|
||||||
|
# UML instances on which tcpdump is to be started
|
||||||
|
#
|
||||||
|
TCPDUMPHOSTS=""
|
||||||
|
|
||||||
|
# UML instances on which IPsec is started
|
||||||
|
# Used for IPsec logging purposes
|
||||||
|
#
|
||||||
|
IPSECHOSTS="moon carol"
|
||||||
Loading…
x
Reference in New Issue
Block a user