Updated swanctl/rw-psk-ikev1 scenario

2025-10-15 00:00:16 -04:00 · 2016-03-10 08:02:44 +01:00 · 2016-03-10 08:02:44 +01:00 · 90ef7e8af6
commit 90ef7e8af6
parent 1d86d1d65a
5 changed files with 36 additions and 28 deletions
--- a/testing/tests/swanctl/rw-psk-ikev1/description.txt
+++ b/testing/tests/swanctl/rw-psk-ikev1/description.txt
@ -1,10 +1,15 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on two <b>pre-shared keys</b>
-bound to the two distinct gateway identities <b>moon1.strongswan.org</b> and
-<b>moon2.strongswan.org</b>. On the gateway these two identities are bound to
-two disjoint sets of client IP address ranges which allows IKEv1 Main Mode
-to select the correct connection definition and via the gateway identity the
-correct PSK.
+to gateway <b>moon</b>. The IKEv1 main mode authentication is based on
+<b>pre-shared keys</b> and <b>IPv4 address</b> identities.
+On the gateway two connections with differing parameters are defined:
+One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from
+the range <b>192.168.0.150-192.168.0.200</b>.
+<p/>
+On the gateway for different shared keys are defined for the following
+hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>,
+<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and
+<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b>
+the fourth PSK.
 <p/>
 Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
 client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different
--- a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
@ -1,11 +1,13 @@
+dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
+moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
 venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
@ -6,11 +6,9 @@ connections {

      local {
         auth = psk
-         id = carol@strongswan.org
      }
      remote {
         auth = psk
-         id = moon1.strongswan.org 
      }
      children {
         home {
@ -27,10 +25,9 @@ connections {

 secrets {

-   ike-moon1 {
-      id = moon1.strongswan.org
+   ike-moon {
+      id = 192.168.0.1
      # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
      secret = 0x16964066a10de938bdb2ab7864fe4459cab1
   }
 }
-
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
@ -6,15 +6,13 @@ connections {

      local {
         auth = psk 
-         id = dave@strongswan.org
      }
      remote {
         auth = psk 
-         id = moon2.strongswan.org 
      }
      children {
         home {
-            remote_ts = 10.1.0.16/28 
+            remote_ts = 10.1.0.17-10.1.0.20

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes192gcm128-modp3072
@ -27,8 +25,8 @@ connections {

 secrets {

-   ike-moon2 {
-      id = moon2.strongswan.org
+   ike-moon {
+      id = 192.168.0.1
      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
   }
 }
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
@ -6,7 +6,6 @@ connections {

      local {
         auth = psk 
-         id = moon1.strongswan.org
      }
      remote {
         auth = psk 
@ -25,18 +24,17 @@ connections {

   rw-2 {
      local_addrs  = 192.168.0.1
-      remote_addrs = 192.168.0.192/28
+      remote_addrs = 192.168.0.150-192.168.0.200

      local {
         auth = psk
-         id = moon2.strongswan.org
      }
      remote {
         auth = psk
      }
      children {
         net-2 {
-            local_ts  = 10.1.0.16/28
+            local_ts  = 10.1.0.17-10.1.0.20

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes192gcm128-modp3072
@ -50,12 +48,20 @@ connections {

 secrets {

-   ike-moon1 {
-      id = moon1.strongswan.org
+   ike-any {
+      id = 0.0.0.0/0 0::0/0
+      secret = 0soBAJZLI7Bwwi61Rl113FqD/3
+   }
+   ike-rw-1 {
+      id = 192.168.0.96/28
      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
   }
-   ike-moon2 {
-      id = moon2.strongswan.org
+   ike-rw-2 {
+      id = 192.168.0.150-192.168.0.200
+      secret = 0s8qPdxyhDeGfk1l211cS8urXc
+   }
+   ike-dave {
+      id = 192.168.0.200
      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
   }
 }