sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

added new test scenarios

Browse Source
This commit is contained in:
Andreas Steffen 2006-09-25 05:42:13 +00:00
parent 2fcc4168f8
commit b3fcb01fd2
76 changed files with 1053 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
testing/tests/ikev2/nat-two-rw-psk/description.txt Normal file
View File

@ -0,0 +1,6 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.

9
testing/tests/ikev2/nat-two-rw-psk/evaltest.dat Normal file
View File

@ -0,0 +1,9 @@
alice::ipsec statusall::nat-t.*INSTALLED::YES
venus::ipsec statusall::nat-t.*INSTALLED::YES
sun::ipsec statusall::nat-t.*INSTALLED::YES
sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES

19
testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf Executable file
View File

@ -0,0 +1,19 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn nat-t
left=%defaultroute
leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
auto=add

3
testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
PH_IP_ALICE : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

21
testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf Executable file
View File

@ -0,0 +1,21 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn nat-t
left=PH_IP_SUN
leftsubnet=10.2.0.0/16
leftfirewall=yes
leftnexthop=%direct
right=%any
rightsubnet=10.1.0.0/16
auto=add

5
testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,5 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
PH_IP_ALICE : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
PH_IP_VENUS : PSK 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br

19
testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf Executable file
View File

@ -0,0 +1,19 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn nat-t
left=%defaultroute
leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
auto=add

3
testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
PH_IP_VENUS : PSK 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br

11
testing/tests/ikev2/nat-two-rw-psk/posttest.dat Normal file
View File

@ -0,0 +1,11 @@
alice::iptables -v -n -L
venus::iptables -v -n -L
sun::iptables -v -n -L
sun::ipsec stop
alice::ipsec stop
venus::ipsec stop
alice::/etc/init.d/iptables stop 2> /dev/null
venus::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null
moon::iptables -t nat -F

17
testing/tests/ikev2/nat-two-rw-psk/pretest.dat Normal file
View File

@ -0,0 +1,17 @@
alice::/etc/init.d/iptables start 2> /dev/null
venus::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::rm /etc/ipsec.d/cacerts/*
venus::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
alice::ipsec start
venus::ipsec start
sun::ipsec start
alice::sleep 2
alice::ipsec up nat-t
venus::sleep 2
venus::ipsec up nat-t
venus::sleep 2

21
testing/tests/ikev2/nat-two-rw-psk/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice venus moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"

5
testing/tests/ikev2/nat-two-rw/description.txt Normal file
View File

@ -0,0 +1,5 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.

9
testing/tests/ikev2/nat-two-rw/evaltest.dat Normal file
View File

@ -0,0 +1,9 @@
alice::ipsec statusall::nat-t.*INSTALLED::YES
venus::ipsec statusall::nat-t.*INSTALLED::YES
sun::ipsec statusall::nat-t.*INSTALLED::YES
sun::ipsec status::alice@strongswan.org::YES
sun::ipsec status::@venus.strongswan.org::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES

22
testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf Executable file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn nat-t
left=%defaultroute
leftcert=aliceCert.pem
leftid=alice@strongswan.org
leftfirewall=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add

34
testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf Executable file
View File

@ -0,0 +1,34 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftfirewall=yes
conn net-net
leftsubnet=10.2.0.0/16
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=add
conn host-host
right=PH_IP_MOON
rightid=@moon.strongswan.org
auto=add
conn nat-t
leftsubnet=10.2.0.0/16
right=%any
rightsubnetwithin=10.1.0.0/16
auto=add

22
testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf Executable file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn nat-t
left=%defaultroute
leftcert=venusCert.pem
leftid=@venus.strongswan.org
leftfirewall=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add

11
testing/tests/ikev2/nat-two-rw/posttest.dat Normal file
View File

@ -0,0 +1,11 @@
alice::iptables -v -n -L
venus::iptables -v -n -L
sun::iptables -v -n -L
sun::ipsec stop
alice::ipsec stop
venus::ipsec stop
alice::/etc/init.d/iptables stop 2> /dev/null
venus::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null
moon::iptables -t nat -F

14
testing/tests/ikev2/nat-two-rw/pretest.dat Normal file
View File

@ -0,0 +1,14 @@
alice::/etc/init.d/iptables start 2> /dev/null
venus::/etc/init.d/iptables start 2> /dev/null
sun::/etc/init.d/iptables start 2> /dev/null
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::ipsec start
venus::ipsec start
sun::ipsec start
alice::sleep 2
alice::ipsec up nat-t
venus::sleep 2
venus::ipsec up nat-t
venus::sleep 2

21
testing/tests/ikev2/nat-two-rw/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice venus moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"

6
testing/tests/ikev2/protoport-dual/description.txt Normal file
View File

@ -0,0 +1,6 @@
Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels
between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
defined. The first IPsec SA is restricted to ICMP packets and the second
covers TCP-based SSH connections. The established tunnels are tested
by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
then setting up an SSH session to the same client.

9
testing/tests/ikev2/protoport-dual/evaltest.dat Normal file
View File

@ -0,0 +1,9 @@
carol::ipsec statusall::home-icmp.*INSTALLED::YES
carol::ipsec statusall::home-ssh.*INSTALLED::YES
moon::ipsec statusall::rw-icmp.*INSTALLED::YES
moon::ipsec statusall::rw-ssh.*INSTALLED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES

29
testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,29 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_CAROL
leftnexthop=%direct
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=add
conn home-icmp
leftprotoport=icmp
rightprotoport=icmp
conn home-ssh
leftprotoport=tcp
rightprotoport=tcp/ssh

29
testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,29 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_MOON
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
leftsubnet=10.1.0.0/16
right=%any
auto=add
conn rw-icmp
lefthostaccess=yes
leftprotoport=icmp
rightprotoport=icmp
conn rw-ssh
leftprotoport=tcp/ssh
rightprotoport=tcp

6
testing/tests/ikev2/protoport-dual/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null

7
testing/tests/ikev2/protoport-dual/pretest.dat Normal file
View File

@ -0,0 +1,7 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
carol::sleep 2
carol::ipsec up home-icmp
carol::ipsec up home-ssh

21
testing/tests/ikev2/protoport-dual/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"

8
testing/tests/ikev2/protoport-route/description.txt Normal file
View File

@ -0,0 +1,8 @@
Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels
between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
defined. The first IPsec SA is restricted to ICMP packets and the second
covers TCP-based SSH connections. Using <b>add=route</b> %trap
eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
is triggered and the corresponding IPsec tunnel is set up. In the same
way an ssh session to <b>alice</b> over the second IPsec SA is established.

10
testing/tests/ikev2/protoport-route/evaltest.dat Normal file
View File

@ -0,0 +1,10 @@
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
carol::ssh PH_IP_ALICE hostname::alice::YES
carol::cat /var/log/auth.log::acquiring CHILD_SA::YES
carol::ipsec statusall::home-icmp.*INSTALLED::YES
carol::ipsec statusall::home-ssh.*INSTALLED::YES
moon::ipsec statusall::rw-icmp.*INSTALLED::YES
moon::ipsec statusall::rw-ssh.*INSTALLED::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES

29
testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,29 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_CAROL
leftnexthop=%direct
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=route
conn home-icmp
leftprotoport=icmp
rightprotoport=icmp
conn home-ssh
leftprotoport=tcp
rightprotoport=tcp/ssh

29
testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,29 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_MOON
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
leftsubnet=10.1.0.0/16
right=%any
auto=add
conn rw-icmp
lefthostaccess=yes
leftprotoport=icmp
rightprotoport=icmp
conn rw-ssh
leftprotoport=tcp/ssh
rightprotoport=tcp

6
testing/tests/ikev2/protoport-route/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null

8
testing/tests/ikev2/protoport-route/pretest.dat Normal file
View File

@ -0,0 +1,8 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
carol::sleep 1
carol::ssh PH_IP_ALICE hostname
carol::ping -c 1 PH_IP_ALICE > /dev/null
carol::sleep 2

21
testing/tests/ikev2/protoport-route/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"

6
testing/tests/ikev2/rw-psk-fqdn/description.txt Normal file
View File

@ -0,0 +1,6 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
and fully qualified domain names. Upon the successful establishment of the IPsec tunnels,
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
let pass the tunneled traffic. In order to test both tunnel and firewall, both
<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.

10
testing/tests/ikev2/rw-psk-fqdn/evaltest.dat Normal file
View File

@ -0,0 +1,10 @@
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

22
testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

23
testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_DAVE
leftnexthop=%direct
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

21
testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,21 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn rw
left=PH_IP_MOON
leftnexthop=%direct
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
auto=add

5
testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,5 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

9
testing/tests/ikev2/rw-psk-fqdn/posttest.dat Normal file
View File

@ -0,0 +1,9 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
dave::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

13
testing/tests/ikev2/rw-psk-fqdn/pretest.dat Normal file
View File

@ -0,0 +1,13 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
carol::sleep 1

21
testing/tests/ikev2/rw-psk-fqdn/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

6
testing/tests/ikev2/rw-psk-ipv4/description.txt Normal file
View File

@ -0,0 +1,6 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
and IPv4 addresses. Upon the successful establishment of the IPsec tunnels,
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
let pass the tunneled traffic. In order to test both tunnel and firewall, both
<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.

10
testing/tests/ikev2/rw-psk-ipv4/evaltest.dat Normal file
View File

@ -0,0 +1,10 @@
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

20
testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,20 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

21
testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,21 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_DAVE
leftnexthop=%direct
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

20
testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,20 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn rw
left=PH_IP_MOON
leftnexthop=%direct
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
auto=add

5
testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,5 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

9
testing/tests/ikev2/rw-psk-ipv4/posttest.dat Normal file
View File

@ -0,0 +1,9 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
dave::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

13
testing/tests/ikev2/rw-psk-ipv4/pretest.dat Normal file
View File

@ -0,0 +1,13 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
carol::sleep 1

21
testing/tests/ikev2/rw-psk-ipv4/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

6
testing/tests/ikev2/rw-psk-rsa-mixed/description.txt Normal file
View File

@ -0,0 +1,6 @@
The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
and selects the correct roadwarrior connection definition based on the gateway ID
requested by the roadwarrior.

15
testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat Normal file
View File

@ -0,0 +1,15 @@
moon::cat /var/log/auth.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon::cat /var/log/auth.log::authentication of 'PH_IP_MOON' with pre-shared key (myself)::YES
moon::ipsec statusall::rw-psk.*INSTALLED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
moon::cat /var/log/auth.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
moon::cat /var/log/auth.log::authentication of '@moon.strongswan.org' with RSA signature (myself)::YES
moon::ipsec statusall::rw-rsasig.*INSTALLED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

21
testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,21 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

23
testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn home
left=PH_IP_DAVE
leftnexthop=%direct
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
keyexchange=ikev2
auto=add

29
testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,29 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=PH_IP_MOON
leftnexthop=%direct
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
conn rw-rsasig
authby=rsasig
leftcert=moonCert.pem
leftid=@moon.strongswan.org
auto=add
conn rw-psk
authby=secret
leftid=PH_IP_MOON
auto=add

7
testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,7 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

12
testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat Normal file
View File

@ -0,0 +1,12 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
dave::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
moon::rm /etc/ipsec.d/crls/*
carol::rm /etc/ipsec.d/crls/*
dave::rm /etc/ipsec.d/crls/*

13
testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat Normal file
View File

@ -0,0 +1,13 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
carol::sleep 1

21
testing/tests/ikev2/rw-psk-rsa-mixed/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

8
testing/tests/ikev2/rw-psk-rsa-split/description.txt Normal file
View File

@ -0,0 +1,8 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The roadwarriors' authentication is based on
<ib>Pre-Shared Keys</b> (PSK) whereas the gateway uses an <b>RSA signature</b>
(RSASIG) certified by an X.509 certificate.
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.

12
testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat Normal file
View File

@ -0,0 +1,12 @@
moon::cat /var/log/auth.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon::cat /var/log/auth.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
moon::cat /var/log/auth.log::authentication of '@moon.strongswan.org' with RSA signature (myself)::YES
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

22
testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

23
testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=PH_IP_DAVE
leftnexthop=%direct
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

22
testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
left=PH_IP_MOON
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
auto=add

7
testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,7 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN

12
testing/tests/ikev2/rw-psk-rsa-split/posttest.dat Normal file
View File

@ -0,0 +1,12 @@
moon::iptables -v -n -L
carol::iptables -v -n -L
dave::iptables -v -n -L
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
moon::rm /etc/ipsec.d/crls/*
carol::rm /etc/ipsec.d/crls/*
dave::rm /etc/ipsec.d/crls/*

13
testing/tests/ikev2/rw-psk-rsa-split/pretest.dat Normal file
View File

@ -0,0 +1,13 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
carol::sleep 1

21
testing/tests/ikev2/rw-psk-rsa-split/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"