sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

added two Elliptic Curve DH Group scenarios using the openssl library

Browse Source
This commit is contained in:
Andreas Steffen 2008-05-29 08:28:20 +00:00
parent 0655fe4fd8
commit 5785683afe
22 changed files with 302 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
testing/tests/openssl/ike-alg-ecp-high/description.txt Normal file
View File

@ -0,0 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical functions
whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for
the Elliptic Curve Diffie-Hellman groups only.
<p>
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_521 the roadwarriors
fall back to ECP_384 and ECP_521, respectively.
<p>
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.

12
testing/tests/openssl/ike-alg-ecp-high/evaltest.dat Normal file
View File

@ -0,0 +1,12 @@
carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES
dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

24
testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,24 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

5
testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl random x509 hmac stroke
}

24
testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,24 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
conn home
left=PH_IP_DAVE
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

5
testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 gmp openssl random x509 hmac stroke
}

23
testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
conn rw
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
auto=add

5
testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl random x509 hmac stroke
}

6
testing/tests/openssl/ike-alg-ecp-high/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

9
testing/tests/openssl/ike-alg-ecp-high/pretest.dat Normal file
View File

@ -0,0 +1,9 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home

21
testing/tests/openssl/ike-alg-ecp-high/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

17
testing/tests/openssl/ike-alg-ecp-low/description.txt Normal file
View File

@ -0,0 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical functions
whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for
the Elliptic Curve Diffie-Hellman groups only.
<p>
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.

12
testing/tests/openssl/ike-alg-ecp-low/evaltest.dat Normal file
View File

@ -0,0 +1,12 @@
carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES
dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

24
testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,24 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

5
testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl random x509 hmac stroke
}

24
testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,24 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
conn home
left=PH_IP_DAVE
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

5
testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 gmp openssl random x509 hmac stroke
}

23
testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
conn rw
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
auto=add

5
testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl random x509 hmac stroke
}

6
testing/tests/openssl/ike-alg-ecp-low/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

9
testing/tests/openssl/ike-alg-ecp-low/pretest.dat Normal file
View File

@ -0,0 +1,9 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home

21
testing/tests/openssl/ike-alg-ecp-low/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"