included bad case in ikev2/rw-eap-ttls-radius scenario

2025-12-07 00:00:13 -05:00 · 2010-08-15 11:13:41 +02:00 · 2010-08-15 11:13:41 +02:00 · d662a7ffad
commit d662a7ffad
parent eb4c9c609c
9 changed files with 59 additions and 11 deletions
--- a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
@ -1,7 +1,8 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then sets up an <b>EAP-TTLS</b> tunnel via <b>moon</b> to
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
 the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
 wrong password and fails.
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@ -3,9 +3,16 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 carol::ipsec statusall::home.*ESTABLISHED::YES
 dave::ipsec statusall::home.*ESTABLISHED::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
@ -1 +1,2 @@
 carol	Cleartext-Password := "Ar3etTnp"
 dave	Cleartext-Password := "W7R0g3do"
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@ -0,0 +1,23 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 config setup
 	plutostart=no
 	charondebug="ike 2"
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
 conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
 	auto=add
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
@ -0,0 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 dave@strongswan.org : EAP "UgaM65Va"
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@ -0,0 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
  multiple_authentication=no
 }
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@ -1,5 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::/etc/init.d/radiusd stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@ -1,9 +1,14 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
 alice::cat /etc/raddb/eap.conf
 alice::cat /etc/raddb/proxy.conf
 alice::cat /etc/raddb/users
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
-carol::sleep 1
+dave::ipsec up home
 dave::sleep 1
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@ -5,11 +5,11 @@
 # All UML instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+UMLHOSTS="alice carol winnetou dave moon"
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w-d.png"
 # UML instances on which tcpdump is to be started
 #
@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon"
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
`@ -1 +1,2 @@`
	`carol Cleartext-Password := "Ar3etTnp"`	`carol Cleartext-Password := "Ar3etTnp"`
		`dave Cleartext-Password := "W7R0g3do"`
		`@ -0,0 +1,3 @@`
							`# /etc/ipsec.secrets - strongSwan IPsec secrets file`

							`dave@strongswan.org : EAP "UgaM65Va"`