sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

added ikev2/rw-eap-dynamic scenario

Browse Source
This commit is contained in:
Andreas Steffen 2012-09-12 12:15:17 +02:00
parent d4cca1beea
commit 9ce931f3af
16 changed files with 172 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
testing/rw-eap-dynamic/description.txt Normal file
View File

@ -0,0 +1,5 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
<b>carol</b> uses the default <i>EAP-MD5</i> password-based client authentication
method as proposed by EAP server <b>moon</b> whereas <b>dave</b> requests an <i>EAP-TLS</i>
certificate-based client authentication by sending this proposal in an <i>EAP-NAK</i> message
back to the EAP server.

23
testing/rw-eap-dynamic/evaltest.dat Normal file
View File

@ -0,0 +1,23 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

21
testing/rw-eap-dynamic/hosts/carol/etc/ipsec.conf Normal file
View File

@ -0,0 +1,21 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap-md5
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
auto=add

3
testing/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

5
testing/rw-eap-dynamic/hosts/carol/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
}

22
testing/rw-eap-dynamic/hosts/dave/etc/ipsec.conf Normal file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftauth=eap-tls
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
auto=add

3
testing/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA daveKey.pem

5
testing/rw-eap-dynamic/hosts/dave/etc/strongswan.conf Normal file
View File

@ -0,0 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
}

22
testing/rw-eap-dynamic/hosts/moon/etc/ipsec.conf Normal file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
rightauth=eap-dynamic
right=%any
auto=add

5
testing/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,5 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"

12
testing/rw-eap-dynamic/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,12 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-dynamic updown
plugins {
eap-dynamic {
prefer_user = yes
preferred = md5, tls
}
}
}

6
testing/rw-eap-dynamic/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
carol::ipsec stop
dave::ipsec stop
moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

10
testing/rw-eap-dynamic/pretest.dat Normal file
View File

@ -0,0 +1,10 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
dave::sleep 1

21
testing/rw-eap-dynamic/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

5
testing/scripts/build-umlrootfs
View File

@ -172,6 +172,11 @@ then
echo -n " --enable-eap-radius" >> $INSTALLSHELL
fi
if [ "$USE_EAP_DYNAMIC" = "yes" ]
then
echo -n " --enable-eap-dynamic" >> $INSTALLSHELL
fi
if [ "$USE_EAP_TLS" = "yes" ]
then
echo -n " --enable-eap-tls" >> $INSTALLSHELL

7
testing/testing.conf
View File

@ -19,20 +19,20 @@ UMLTESTDIR=~/strongswan-testing
# Bzipped kernel sources
# (file extension .tar.bz2 required)
KERNEL=$UMLTESTDIR/linux-3.4.3.tar.bz2
KERNEL=$UMLTESTDIR/linux-3.5.3.tar.bz2
# Extract kernel version
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
# Kernel configuration file
KERNELCONFIG=$UMLTESTDIR/.config-3.4
KERNELCONFIG=$UMLTESTDIR/.config-3.5
# Bzipped uml patch for kernel
UMLPATCH=$UMLTESTDIR/ha-3.0.patch.bz2
# Bzipped source of strongSwan
STRONGSWAN=$UMLTESTDIR/strongswan-5.0.0.tar.bz2
STRONGSWAN=$UMLTESTDIR/strongswan-5.0.1.tar.bz2
# strongSwan compile options (use "yes" or "no")
USE_LIBCURL="yes"
@ -43,6 +43,7 @@ USE_EAP_MD5="yes"
USE_EAP_MSCHAPV2="yes"
USE_EAP_IDENTITY="yes"
USE_EAP_RADIUS="yes"
USE_EAP_DYNAMIC="yes"
USE_EAP_TLS="yes"
USE_EAP_TTLS="yes"
USE_EAP_PEAP="yes"