From cf4a7395aaee59b871382154ba9bfeda0819d057 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Nov 2013 17:48:40 +0100 Subject: [PATCH 1/9] updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated --- src/_updown/_updown.in | 3 +++ src/libcharon/plugins/updown/updown_listener.c | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index c68c23d8a5..36bf64c6a9 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -50,6 +50,9 @@ # PLUTO_PROTO # is the negotiated IPsec protocol, ah|esp # +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA # diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 81adfdb136..e62309760c 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2013 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -223,7 +224,7 @@ METHOD(listener_t, child_updown, bool, u_int8_t my_client_mask, other_client_mask; char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth; mark_t mark; - bool is_host, is_ipv6; + bool is_host, is_ipv6, use_ipcomp; FILE *shell; my_ts->to_subnet(my_ts, &my_client, &my_client_mask); @@ -322,6 +323,9 @@ METHOD(listener_t, child_updown, bool, dns = make_dns_vars(this, ike_sa); + /* check for IPComp */ + use_ipcomp = child_sa->get_ipcomp(child_sa) != IPCOMP_NONE; + /* determine IPv4/IPv6 and client/host situation */ is_host = my_ts->is_host(my_ts, me); is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) : @@ -355,6 +359,7 @@ METHOD(listener_t, child_updown, bool, "%s" "%s" "%s" + "%s" "%s", up ? "up" : "down", is_host ? "-host" : "-client", @@ -377,6 +382,7 @@ METHOD(listener_t, child_updown, bool, mark_in, mark_out, udp_enc, + use_ipcomp ? "PLUTO_IPCOMP='1' " : "", config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "", dns, script); From 6d1198e71d3bd8e2f3b5c1fc1f3348807433d851 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Nov 2013 17:50:02 +0100 Subject: [PATCH 2/9] updown: Allow IPIP traffic if IPComp was negotiated The kernel implicitly creates an IPIP SA if an IPComp SA is installed. This SA is used inbound for small packets that are not compressed. Since the addresses are different (they are the tunnel addresses not those of the tunneled traffic) additional rules are required if the traffic selector does not cover the tunnel addresses (e.g. due to a NAT). For SAs with multiple traffic selectors duplicate rules will get installed. --- src/_updown/_updown.in | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 36bf64c6a9..532bd24377 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -414,6 +414,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -438,6 +446,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -477,6 +492,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -520,6 +544,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then From 7e3bbcf77a27627455ef67c433fc70e5fd0f70e3 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Nov 2013 20:56:30 +0100 Subject: [PATCH 3/9] updown: Increase buffer size for script and environment variables --- src/libcharon/plugins/updown/updown_listener.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index e62309760c..2c3f932983 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -219,7 +219,7 @@ METHOD(listener_t, child_updown, bool, enumerator = child_sa->create_policy_enumerator(child_sa); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - char command[1024]; + char command[2048]; host_t *my_client, *other_client; u_int8_t my_client_mask, other_client_mask; char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth; From cc04a6db3e7e0fe0d18728d9ca400e806b5876b9 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Nov 2013 20:58:42 +0100 Subject: [PATCH 4/9] kernel-netlink: Selectively add selector on SAs that use IPComp Don't add a selector to tunnel mode SAs, these might serve multiple traffic selectors but with only one selector on the SA only the traffic matching the first one would actually get tunneled. --- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 128e6571c9..8287f9df42 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, struct nlmsghdr *hdr; struct xfrm_usersa_info *sa; u_int16_t icv_size = 64; + ipsec_mode_t original_mode = mode; status_t status = FAILED; /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 @@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, break; case MODE_BEET: case MODE_TRANSPORT: - if(src_ts && dst_ts) + if (original_mode == MODE_TUNNEL) + { /* don't install selectors for switched SAs. because only one + * selector can be installed other traffic would get dropped */ + break; + } + if (src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); /* don't install proto/port on SA. This would break From fe2a2d1885306fdb03877d14255276d0a3fabb2b Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Nov 2013 21:02:07 +0100 Subject: [PATCH 5/9] kernel-netlink: Set selector on transport mode IPComp SAs --- src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8287f9df42..24f15d9a1f 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1214,7 +1214,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound, - NULL, NULL); + src_ts, dst_ts); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ mode = MODE_TRANSPORT; From 1fde30cc2363c86e2ac6993e86c688f6e245788f Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 8 Nov 2013 10:54:20 +0100 Subject: [PATCH 6/9] testing: Enable firewall for ikev2/compress scenario Additionally, send a regular (small) ping as the kernel does not compress small packets and handles those differently inbound. --- testing/tests/ikev2/compress/description.txt | 7 ++++--- testing/tests/ikev2/compress/evaltest.dat | 4 ++-- testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf | 1 + .../tests/ikev2/compress/hosts/carol/etc/strongswan.conf | 2 +- testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf | 1 + .../tests/ikev2/compress/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/compress/posttest.dat | 2 ++ testing/tests/ikev2/compress/pretest.dat | 2 ++ 8 files changed, 14 insertions(+), 7 deletions(-) diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt index 47829839dd..4c60384f0b 100644 --- a/testing/tests/ikev2/compress/description.txt +++ b/testing/tests/ikev2/compress/description.txt @@ -1,3 +1,4 @@ -This scenario enables IPCOMP compression between roadwarrior carol and -gateway moon. Two pings from carol to alice checks -the established tunnel with compression. +This scenario enables IPComp compression between roadwarrior carol and +gateway moon. Two pings from carol to alice check +the established tunnel with compression. The packet sizes of the two pings +are different because the kernel does not compress small packets. diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat index b989a77744..843326ecc6 100644 --- a/testing/tests/ikev2/compress/evaltest.dat +++ b/testing/tests/ikev2/compress/evaltest.dat @@ -6,7 +6,7 @@ moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES -carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf index 7502175e70..78809898b5 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keyingtries=1 keyexchange=ikev2 compress=yes + leftfirewall=yes conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf index 85d8c191f0..dc937641cb 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf index aa1be047e3..718b3c8140 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keyingtries=1 keyexchange=ikev2 compress=yes + leftfirewall=yes conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf index 85d8c191f0..dc937641cb 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat index c6d6235f9d..046d4cfdc4 100644 --- a/testing/tests/ikev2/compress/posttest.dat +++ b/testing/tests/ikev2/compress/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat index f5aa989fe3..29a90355fa 100644 --- a/testing/tests/ikev2/compress/pretest.dat +++ b/testing/tests/ikev2/compress/pretest.dat @@ -1,3 +1,5 @@ +carol::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start carol::sleep 2 From 6055e347f864ce54610a7f6d84d5304b1fc40a1f Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 8 Nov 2013 11:12:04 +0100 Subject: [PATCH 7/9] testing: Add ikev2/compress-nat scenario --- .../tests/ikev2/compress-nat/description.txt | 3 +++ testing/tests/ikev2/compress-nat/evaltest.dat | 22 +++++++++++++++++ .../compress-nat/hosts/alice/etc/ipsec.conf | 24 +++++++++++++++++++ .../hosts/alice/etc/strongswan.conf | 5 ++++ .../compress-nat/hosts/bob/etc/ipsec.conf | 24 +++++++++++++++++++ .../hosts/bob/etc/strongswan.conf | 5 ++++ .../compress-nat/hosts/carol/etc/ipsec.conf | 23 ++++++++++++++++++ .../hosts/carol/etc/iptables.rules | 24 +++++++++++++++++++ .../hosts/carol/etc/strongswan.conf | 5 ++++ testing/tests/ikev2/compress-nat/posttest.dat | 10 ++++++++ testing/tests/ikev2/compress-nat/pretest.dat | 21 ++++++++++++++++ testing/tests/ikev2/compress-nat/test.conf | 21 ++++++++++++++++ 12 files changed, 187 insertions(+) create mode 100644 testing/tests/ikev2/compress-nat/description.txt create mode 100644 testing/tests/ikev2/compress-nat/evaltest.dat create mode 100644 testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/posttest.dat create mode 100644 testing/tests/ikev2/compress-nat/pretest.dat create mode 100644 testing/tests/ikev2/compress-nat/test.conf diff --git a/testing/tests/ikev2/compress-nat/description.txt b/testing/tests/ikev2/compress-nat/description.txt new file mode 100644 index 0000000000..1ad94e72f0 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/description.txt @@ -0,0 +1,3 @@ +The peers alice and bob are located behind the NAT routers moon and sun, +respectively. They both connect to a central gateway carol using IPComp. +In order to test the IPsec tunnel both peers ping each other and gateway carol. diff --git a/testing/tests/ikev2/compress-nat/evaltest.dat b/testing/tests/ikev2/compress-nat/evaltest.dat new file mode 100644 index 0000000000..2c5db890ae --- /dev/null +++ b/testing/tests/ikev2/compress-nat/evaltest.dat @@ -0,0 +1,22 @@ +alice::ipsec status 2> /dev/null::hub.*ESTABLISHED.*alice@strongswan.org.*carol@strongswan.org::YES +bob:: ipsec status 2> /dev/null::hub.*ESTABLISHED.*bob@strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_MOON.*alice@strongswan.org::YES +carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_SUN.*bob@strongswan.org::YES +alice::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES +bob:: ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES +carol::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES +carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES +carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES +alice::ip xfrm state::proto comp spi::YES +bob:: ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_req=1::YES +alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES +alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +bob:: ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_req=1::YES +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES +moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES +sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES +sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf new file mode 100644 index 0000000000..7ecc68f034 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + dpdaction=restart + dpddelay=60s + leftfirewall=yes + lefthostaccess=yes + +conn hub + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftsubnet=10.1.0.0/16 + right=PH_IP_CAROL + rightid=carol@strongswan.org + rightsubnet=PH_IP_CAROL/32,10.2.0.0/16 + compress=yes + auto=add diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 0000000000..dc937641cb --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf new file mode 100644 index 0000000000..6ef2c06f4b --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + dpdaction=restart + dpddelay=60s + leftfirewall=yes + lefthostaccess=yes + +conn hub + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftsubnet=10.2.0.0/16 + right=PH_IP_CAROL + rightid=carol@strongswan.org + rightsubnet=PH_IP_CAROL/32,10.1.0.0/16 + compress=yes + auto=add diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf new file mode 100644 index 0000000000..dc937641cb --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf new file mode 100644 index 0000000000..23d179b7a7 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + dpdaction=clear + dpddelay=60s + +conn hub + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=%any + leftsubnet=0.0.0.0/0 + rightsubnet=0.0.0.0/0 + compress=yes + auto=add diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules new file mode 100644 index 0000000000..ae8f9a61e6 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..dc937641cb --- /dev/null +++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat new file mode 100644 index 0000000000..b8432a8f25 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/posttest.dat @@ -0,0 +1,10 @@ +bob::ipsec stop +alice::ipsec stop +carol::ipsec stop +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +bob::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::conntrack -F +sun::conntrack -F \ No newline at end of file diff --git a/testing/tests/ikev2/compress-nat/pretest.dat b/testing/tests/ikev2/compress-nat/pretest.dat new file mode 100644 index 0000000000..3211bc574e --- /dev/null +++ b/testing/tests/ikev2/compress-nat/pretest.dat @@ -0,0 +1,21 @@ +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +bob::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT +moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p udp -j SNAT --to-source PH_IP_SUN:1200-1300 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT +sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT +carol::ipsec start +alice::ipsec start +bob::ipsec start +carol::expect-connection hub +alice::expect-connection hub +bob::expect-connection hub +alice::ipsec up hub +bob::ipsec up hub diff --git a/testing/tests/ikev2/compress-nat/test.conf b/testing/tests/ikev2/compress-nat/test.conf new file mode 100644 index 0000000000..fd0c7f1e35 --- /dev/null +++ b/testing/tests/ikev2/compress-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-s-b-med.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice carol bob" From 62e050e0efacdf0bf1b6f4414dfdb3a1f9370aa2 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 8 Nov 2013 12:16:40 +0100 Subject: [PATCH 8/9] testing: Add ipv6/rw-compress-ikev2 scenario --- .../ipv6/rw-compress-ikev2/description.txt | 10 ++++++++ .../tests/ipv6/rw-compress-ikev2/evaltest.dat | 13 ++++++++++ .../hosts/carol/etc/ipsec.conf | 25 +++++++++++++++++++ .../hosts/carol/etc/strongswan.conf | 5 ++++ .../hosts/moon/etc/ipsec.conf | 24 ++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 5 ++++ .../tests/ipv6/rw-compress-ikev2/posttest.dat | 8 ++++++ .../tests/ipv6/rw-compress-ikev2/pretest.dat | 13 ++++++++++ .../tests/ipv6/rw-compress-ikev2/test.conf | 22 ++++++++++++++++ 9 files changed, 125 insertions(+) create mode 100644 testing/tests/ipv6/rw-compress-ikev2/description.txt create mode 100644 testing/tests/ipv6/rw-compress-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/posttest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/pretest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/test.conf diff --git a/testing/tests/ipv6/rw-compress-ikev2/description.txt b/testing/tests/ipv6/rw-compress-ikev2/description.txt new file mode 100644 index 0000000000..da52957f6b --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/description.txt @@ -0,0 +1,10 @@ +This scenario enables IPComp compression between roadwarrior carol and +gateway moon. Two IPv6 ICMP requests from carol to alice +check the established tunnel with compression. The packet sizes are different +because the kernel does not compress small packets.
+Note: The kernel applies IPComp after fragmenting the original packet +according to the MTU. Also, because alice does not know about the IPsec +tunnel between moon and carol the response to the first ICMP +request is fragmented in too large fragments and moon sends back ICMPs +with type 2 to notify alice about this (Path MTU Discovery). +The second ping is then answered successfully. diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat new file mode 100644 index 0000000000..0a0b1a78f5 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -0,0 +1,13 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES +moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES +moon:: ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +# send two pings because the first is lost due to Path MTU Discovery between alice and moon +carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 0000000000..bd9a9e59f9 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + leftfirewall=yes + +conn home + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP6_MOON + rightsubnet=fec1::/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..dc937641cb --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..c4f9b5b5b4 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + leftfirewall=yes + +conn rw + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + right=%any + auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..dc937641cb --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat new file mode 100644 index 0000000000..fdaf44080c --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat new file mode 100644 index 0000000000..3f6427f50b --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +# enable Path MTU Discovery +moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf new file mode 100644 index 0000000000..4e8d1e9fbf --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + From 571025a6092e30d7839d9c78df9b8bf40084319b Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 8 Nov 2013 14:57:01 +0100 Subject: [PATCH 9/9] testing: Add ikev2/host2host-transport-nat scenario --- .../host2host-transport-nat/description.txt | 13 +++++++++ .../host2host-transport-nat/evaltest.dat | 12 ++++++++ .../hosts/alice/etc/ipsec.conf | 18 ++++++++++++ .../hosts/sun/etc/ipsec.conf | 18 ++++++++++++ .../hosts/sun/etc/iptables.rules | 28 +++++++++++++++++++ .../hosts/venus/etc/ipsec.conf | 18 ++++++++++++ .../host2host-transport-nat/posttest.dat | 6 ++++ .../ikev2/host2host-transport-nat/pretest.dat | 12 ++++++++ .../ikev2/host2host-transport-nat/test.conf | 21 ++++++++++++++ 9 files changed, 146 insertions(+) create mode 100644 testing/tests/ikev2/host2host-transport-nat/description.txt create mode 100644 testing/tests/ikev2/host2host-transport-nat/evaltest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/posttest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/pretest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/test.conf diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt new file mode 100644 index 0000000000..6f18a88cd3 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/description.txt @@ -0,0 +1,13 @@ +An IPsec transport-mode connection between the natted host alice and gateway sun +is successfully set up. leftfirewall=yes automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +alice pings sun.
+Note: This scenario also demonstrates two problems with transport-mode and NAT traversal: +
    +
  1. The client venus behind the same NAT as client alice is not able to ping sun +(even with ICMP explicitly allowed there) because the request arrives unencrypted and thus gets +dropped when the IPsec policies are consulted (increases the XfrmInTmplMismatch counter +in /proc/net/xfrm_stat).
    2. +
  2. A similar issue arises when venus also establishes an IPsec transport-mode connection to +sun, due to the conflicting IPsec policies sun declines such a connection.
    3. +
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat new file mode 100644 index 0000000000..faa9fb265d --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat @@ -0,0 +1,12 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES +alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO +venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES +sun::cat /var/log/daemon.log::unable to install policy::YES +sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES +sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf new file mode 100644 index 0000000000..8679a23a41 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf new file mode 100644 index 0000000000..11b0b2db97 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.2 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + +conn nat-t + right=%any + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules new file mode 100644 index 0000000000..0a2cd80b89 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ICMP +-A INPUT -i eth0 -p icmp -j ACCEPT +-A OUTPUT -o eth0 -p icmp -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf new file mode 100644 index 0000000000..b416b30b87 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=venusCert.pem + leftid=venus@strongswan.org + leftfirewall=yes + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-nat/posttest.dat b/testing/tests/ikev2/host2host-transport-nat/posttest.dat new file mode 100644 index 0000000000..80a3c7b7db --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/posttest.dat @@ -0,0 +1,6 @@ +alice::ipsec stop +venus::ipsec stop +sun::ipsec stop +alice::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat new file mode 100644 index 0000000000..fe0f17d3d7 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat @@ -0,0 +1,12 @@ +alice::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE +moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT +moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +alice::ipsec up nat-t diff --git a/testing/tests/ikev2/host2host-transport-nat/test.conf b/testing/tests/ikev2/host2host-transport-nat/test.conf new file mode 100644 index 0000000000..8c2facefd5 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun alice venus moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun"