testing: Add ikev2/net2net-route-narrow scenario

2025-10-04 00:00:14 -04:00 · 2025-03-24 14:02:25 +01:00 · 2025-03-24 14:02:25 +01:00 · 8cb5918b0c
commit 8cb5918b0c
parent 6c7c539eaf
9 changed files with 165 additions and 0 deletions
--- a/testing/tests/ikev2/net2net-route-narrow/description.txt
+++ b/testing/tests/ikev2/net2net-route-narrow/description.txt
@ -0,0 +1,11 @@
+A trap policy on gateway <b>sun</b> will trigger SAs to gateway <b>moon</b>
+that connec the subnets behind the two gateways. Based on the received traffic
+selector from the triggering packet, gateway <b>moon</b> narrows down the
+traffic selectors to one of two options.
+Subsequent pings issued by client <b>bob</b> behind gateway <b>sun</b> to
+<b>alice</b> and <b>venus</b> located behind gateway <b>moon</b> trigger the
+trap policy and lead to the automatic establishment of the subnet-to-subnet
+tunnels.
+<p/>
+The updown script automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
--- a/testing/tests/ikev2/net2net-route-narrow/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route-narrow/evaltest.dat
@ -0,0 +1,21 @@
+sun::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8] === 10.1.0.10/32\[icmp/8]::YES
+sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8] === 10.1.0.20/32\[icmp/8]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/28]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.16/28]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/16]::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+sun::swanctl --rekey --child net-net
+sun::sleep 2
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+sun::swanctl --rekey --reauth --ike gw-gw
+sun::sleep 1
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/28]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.16/28]::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- a/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/strongswan.conf
@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici
+  syslog {
+    daemon {
+      cfg = 2
+    }
+  }
+}
--- a/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/swanctl/swanctl.conf
@ -0,0 +1,34 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-1 {
+            local_ts  = 10.1.0.0/28
+            remote_ts = 10.2.0.0/16
+
+            start_action = none
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+         net-2 : connections.gw-gw.children.net-1 {
+            local_ts  = 10.1.0.16/28
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
--- a/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/strongswan.conf
@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce openssl pem pkcs1 revocation kernel-netlink socket-default updown vici
+  # delete rekeyed CHILD_SAs quickly so we can reauthenticate the IKE_SA
+  delete_rekeyed_delay = 1
+  syslog {
+    daemon {
+      cfg = 2
+    }
+  }
+}
--- a/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/swanctl/swanctl.conf
@ -0,0 +1,30 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            start_action = trap
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519,aes128-sha256-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
--- a/testing/tests/ikev2/net2net-route-narrow/posttest.dat
+++ b/testing/tests/ikev2/net2net-route-narrow/posttest.dat
@ -0,0 +1,5 @@
+sun::swanctl --terminate --ike gw-gw 2> /dev/null
+sun::systemctl stop strongswan
+moon::systemctl stop strongswan
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
--- a/testing/tests/ikev2/net2net-route-narrow/pretest.dat
+++ b/testing/tests/ikev2/net2net-route-narrow/pretest.dat
@ -0,0 +1,9 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+bob::ping -c 3 -W 1 -i 0.2 PH_IP_ALICE
+bob::sleep 0.5
+bob::ping -c 3 -W 1 -i 0.2 PH_IP_VENUS
--- a/testing/tests/ikev2/net2net-route-narrow/test.conf
+++ b/testing/tests/ikev2/net2net-route-narrow/test.conf
@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1