added ikev2/net2net-psk-dscp2 DiffServ scenario

testing/tests/ikev2/net2net-psk-dscp/description.txt

@@ -0,0 +1,13 @@
+In order to support <b>Differentiated Services</b> (DiffServ), two parallel IPsec
+connections between the subnets behind the gateways <b>moon</b> and <b>sun</b> are
+set up. Using <b>XFRM marks</b> one IPsec SA is designated for <b>Best Effort</b> (BE)
+traffic and the second SA for <b>Expedited Forwarding</b> (EF) traffic.
+<p/>
+The authentication is based on a <b>pre-shared key</b> (PSK). In order to guarantee that
+the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is
+bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.

testing/tests/ikev2/net2net-psk-dscp/evaltest.dat

@@ -0,0 +1,8 @@
+moon::ipsec statusall::dscp-be.*ESTABLISHED::YES
+moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES
+sun::ipsec statusall::dscp-be.*ESTABLISHED::YES
+sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,38 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn dscp-be
+	leftid=@sun-be
+	rightid=@moon-be
+	mark=10
+	also=net-net
+	auto=add
+
+conn dscp-ef
+	leftid=@sun-ef
+	rightid=@moon-ef
+	mark=20
+	also=net-net
+	auto=add
+
+conn net-net 
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	leftauth=psk
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightauth=psk

testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf

@@ -0,0 +1,38 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn dscp-be
+	leftid=@moon-be
+	rightid=@sun-be
+	mark=10
+	also=net-net
+	auto=add
+
+conn dscp-ef
+	leftid=@moon-ef
+	rightid=@sun-ef
+	mark=20
+	also=net-net
+	auto=add
+
+conn net-net 
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	leftauth=psk
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightauth=psk

testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets

@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+

testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

testing/tests/ikev2/net2net-psk-dscp/posttest.dat

@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables -t mangle -F OUTPUT
+venus::iptables -t mangle -F OUTPUT
+bob::iptables -t mangle -F OUTPUT
+

testing/tests/ikev2/net2net-psk-dscp/pretest.dat

@@ -0,0 +1,17 @@
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
+venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
+moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
+moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20
+bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE
+bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF
+sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up dscp-be
+moon::ipsec up dscp-ef

testing/tests/ikev2/net2net-psk-dscp/test.conf

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"