sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
14,568 Commits 101 Branches 327 Tags
Commit Graph

968 Commits

Author SHA1 Message Date
Tobias Brunner
f36b6d49af testing: Adapt tests to retransmission settings and reduce DPD delay/timeout 2015-11-09 15:18:34 +01:00
Tobias Brunner
17816515d2 testing: Add libipsec/net2net-null scenario 2015-11-09 11:09:48 +01:00
Andreas Steffen
a98360a64c testing: BLISS CA uses SHA-3 in its CRL 2015-11-03 21:35:09 +01:00
Tobias Brunner
c6aa606a65 testing: Actually send an uncompressed packet in the ipv6/rw-compress-ikev2 scenario 
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes).  By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).

This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check.  The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed.  But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`.  However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
 2015-10-06 15:48:55 +02:00
Andreas Steffen
2b5c543051 testing: added ikev2/alg-chacha20poly1305 scenario 2015-09-01 17:30:15 +02:00
Tobias Brunner
e9ea7e6fb7 testing: Updated environment variable documentation in updown scripts 2015-08-31 11:00:05 +02:00
Andreas Steffen
cdb61c3e88 Added some spaces in swanctl.conf 2015-08-25 15:10:13 +02:00
Tobias Brunner
8923621280 testing: Fix typo in p2pnat/behind-same-nat scenario 2015-08-21 17:48:37 +02:00
Tobias Brunner
efb4b9440a testing: Add missing sim_files file to ikev2/rw-eap-sim-radius scenario 2015-08-21 11:37:23 +02:00
Tobias Brunner
161d75f403 testing: alice is RADIUS server in the ikev2/rw-eap-sim-radius scenario 2015-08-21 11:17:25 +02:00
Tobias Brunner
18943c1f1b testing: Print triplets.dat files of clients in EAP-SIM scenarios 
References #1078.
 2015-08-21 11:16:56 +02:00
Tobias Brunner
bb1d9e454d testing: Add ikev2/trap-any scenario 2015-08-19 11:34:25 +02:00
Andreas Steffen
5f60c55919 Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenario 2015-08-18 21:25:39 +02:00
Andreas Steffen
b19ef52d51 Added reason string support to HCD IMV 2015-08-18 21:25:39 +02:00
Andreas Steffen
627e4b9659 Fixed patches format delimited by CR/LF 2015-08-18 21:25:39 +02:00
Andreas Steffen
ac28daac38 testing: Added tnc/tnccs-20-hcd-eap scenario 2015-08-18 21:25:39 +02:00
Andreas Steffen
9b1eaf083f testing: Updated expired AAA server certificate 2015-08-04 21:50:01 +02:00
Andreas Steffen
493ad293b7 testing: Adapted ha/both-active scenario to new jhash values 2015-07-31 14:43:40 +02:00
Andreas Steffen
fbcac07043 testing: Regenerated BLISS certificates due to oracle changes 2015-07-27 22:09:08 +02:00
Andreas Steffen
aaeb524cea testing: Updated loop ca certificates 2015-07-22 17:11:00 +02:00
Andreas Steffen
73cbd5c7f8 testing: Updated all swanctl scenarios and added some new ones 2015-07-22 13:27:08 +02:00
Andreas Steffen
db69295d2e tests: Introduced IPV6 flag in tests.conf 2015-07-21 23:17:14 +02:00
Andreas Steffen
6b265c5e5c tests: Introduced SWANCTL flag in test.conf 2015-07-21 23:17:14 +02:00
Andreas Steffen
3d9bfb607c tests: fixed evaltest of swanctl/rw-cert scenario 2015-07-21 23:17:13 +02:00
Andreas Steffen
f335e2f848 tests: fixed description of swanctl ip-pool scenarios 2015-07-21 23:17:13 +02:00
Andreas Steffen
b8399a2edc testing: use a decent PSK 2015-05-30 16:56:41 +02:00
Andreas Steffen
1047d44b57 testing: Added ha/active-passive scenario 2015-05-30 16:48:17 +02:00
Tobias Brunner
966efbc10d testing: Fix URL to TNC@FHH project in scenario descriptions 2015-05-05 11:48:56 +02:00
Reto Buerki
41e9a261ac testing: Update TKM assert strings 2015-05-05 10:55:14 +02:00
Andreas Steffen
362e87e3e0 testing: Updated carol's certificate from research CA and dave's certificate from sales CA 2015-04-26 16:52:06 +02:00
Andreas Steffen
d04e47a9eb testing: Wait for DH crypto tests to complete 2015-04-26 11:51:49 +02:00
Andreas Steffen
79b5a33c11 imv_policy_manager: Added capability to execute an allow or block shell command string 2015-04-26 10:55:24 +02:00
Andreas Steffen
883c11caa0 Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios 2015-03-27 20:56:44 +01:00
Andreas Steffen
85aa509e84 Added tnc/tnccs-20-pt-tls scenario 2015-03-27 20:56:43 +01:00
Andreas Steffen
be04f90815 testing: added tnc/tnccs-20-mutual scenario 2015-03-23 23:01:13 +01:00
Tobias Brunner
3d964213f5 testing: Remove obsolete leftnexthop option from configs 2015-03-12 15:51:25 +01:00
Martin Willi
2b0f34a2ef testing: Don't check for exact IKEv1 fragment size 
Similar to 7a9c0d51, the exact packet size depends on many factors we don't
want to consider in this test case.
 2015-03-10 10:21:16 +01:00
Martin Willi
58c3e09918 testing: Fix active/passive role description in ha/both-active test case 2015-03-10 10:02:21 +01:00
Tobias Brunner
8b2af616ac testing: Update modified updown scripts to the latest template 
This avoids confusion and makes identifying the changes needed for each
scenario easier.
 2015-03-06 16:51:50 +01:00
Andreas Steffen
3fcb59b62a use SHA512 for moon's BLISS signature 2015-03-04 14:08:37 +01:00
Tobias Brunner
26ebe5fea8 testing: Test classic public key authentication in ikev2/net2net-cert scenario 2015-03-04 13:54:12 +01:00
Tobias Brunner
53217d70b0 testing: Disable signature authentication on dave in openssl-ikev2/ecdsa-certs scenario 2015-03-04 13:54:12 +01:00
Tobias Brunner
7a9c0d51f4 testing: Don't check for exact IKEv2 fragment size 
Because SHA-256 is now used for signatures the size of the two IKE_AUTH
messages changed.
 2015-03-04 13:54:10 +01:00
Tobias Brunner
4aa24d4c13 testing: Update test conditions because signature schemes are now logged 
RFC 7427 signature authentication is now used between strongSwan hosts
by default, which causes the actual signature schemes to get logged.
 2015-03-04 13:54:10 +01:00
Tobias Brunner
2f1b2d9183 testing: Add ikev2/rw-sig-auth scenario 2015-03-04 13:54:10 +01:00
Tobias Brunner
3b31245a0f testing: Add ikev2/net2net-cert-sha2 scenario 2015-03-04 13:54:10 +01:00
Andreas Steffen
c2aca9eed2 Implemented improved BLISS-B signature algorithm 2015-02-25 21:45:34 +01:00
Martin Willi
c10b2be967 testing: Add a forecast test case 2015-02-20 16:34:55 +01:00
Martin Willi
9ed09d5f77 testing: Add a connmark plugin test 
In this test two hosts establish a transport mode connection from behind
moon. sun uses the connmark plugin to distinguish the flows.

This is an example that shows how one can terminate L2TP/IPsec connections
from two hosts behind the same NAT. For simplification of the test, we use
an SSH connection instead, but this works for any connection initiated flow
that conntrack can track.
 2015-02-20 16:34:54 +01:00
Martin Willi
f27fb58ae0 testing: Update description and test evaluation of host2host-transport-nat 
As we now reuse the reqid for identical SAs, the behavior changes for
transport connections to multiple peers behind the same NAT. Instead of
rejecting the SA, we now have two valid SAs active. For the reverse path,
however, sun sends traffic always over the newer SA, resembling the behavior
before we introduced explicit SA conflicts for different reqids.
 2015-02-20 13:34:58 +01:00