testing: Add a connmark plugin test

In this test two hosts establish a transport mode connection from behind moon. sun uses the connmark plugin to distinguish the flows. This is an example that shows how one can terminate L2TP/IPsec connections from two hosts behind the same NAT. For simplification of the test, we use an SSH connection instead, but this works for any connection initiated flow that conntrack can track.
2025-11-08 00:02:19 -05:00 · 2014-11-18 11:33:28 +01:00 · 2014-11-18 11:33:28 +01:00 · 9ed09d5f77
commit 9ed09d5f77
parent 15f392d9ed
9 changed files with 109 additions and 0 deletions
--- a/testing/tests/ikev2/host2host-transport-connmark/description.txt
+++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt
@ -0,0 +1,8 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
+and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
+the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
+connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
+the CHILD_SAs to select the correct return path SA using connection tracking.
+This allows <b>sun</b> to talk to both nodes for client initiated flows, even
+if the SAs are actually both over <b>moon</b>.<br/>
+To test the connection, both hosts establish an SSH connection to <b>sun</b>.
--- a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
@ -0,0 +1,7 @@
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
--- a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
--- a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=192.168.0.2
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+
+conn nat-t
+	right=%any
+	type=transport
+	mark=%unique
+	auto=add
--- a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+}
--- a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=venusCert.pem
+	leftid=venus@strongswan.org
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
--- a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
@ -0,0 +1,5 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
--- a/testing/tests/ikev2/host2host-transport-connmark/test.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf
@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"