-
Notifications
You must be signed in to change notification settings - Fork 220
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3ff843e
commit 83f4536
Showing
16 changed files
with
193 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
certificate based oe with destination NAT, east is behind nat. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
conn clear | ||
type=passthrough | ||
authby=never | ||
left=%defaultroute | ||
right=%group | ||
auto=route | ||
|
||
conn oe-base-server | ||
type=tunnel | ||
ikev2=insist | ||
also=slow-retransmits | ||
narrowing=yes | ||
# left | ||
left=%defaultroute | ||
leftid=%fromcert | ||
leftrsasigkey=%cert | ||
leftcert=east | ||
leftauth=rsasig | ||
leftaddresspool=10.0.10.1-10.0.10.200 | ||
leftcat=yes | ||
# right | ||
rightid=%null | ||
right=%opportunisticgroup | ||
rightauth=null | ||
|
||
conn clear-or-private | ||
also=oe-base-server | ||
failureshunt=passthrough | ||
negotiationshunt=passthrough | ||
auto=add | ||
|
||
conn private-or-clear | ||
also=oe-base-server | ||
failureshunt=passthrough | ||
negotiationshunt=passthrough | ||
auto=route | ||
|
||
conn private | ||
also=oe-base-server | ||
failureshunt=drop | ||
negotiationshunt=drop | ||
auto=route | ||
|
||
conn block | ||
type=reject | ||
authby=never | ||
left=%defaultroute | ||
right=%group | ||
auto=route | ||
|
||
# conn packetdefault is no longer used |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# /etc/ipsec.conf - Libreswan IPsec configuration file | ||
|
||
config setup | ||
logfile=/tmp/pluto.log | ||
logtime=no | ||
logappend=no | ||
dumpdir=/tmp | ||
protostack=netkey | ||
plutodebug=all | ||
uniqueids=no | ||
|
||
#copied from the test directory | ||
include /etc/ipsec.d/ikev2-oe.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/testing/guestbin/swan-prep --x509 | ||
certutil -D -n road -d sql:/etc/ipsec.d | ||
cp east-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf | ||
cp policies/* /etc/ipsec.d/policies/ | ||
echo "192.1.2.0/24" >> /etc/ipsec.d/policies/clear-or-private | ||
echo "192.1.3.0/24" >> /etc/ipsec.d/policies/clear-or-private | ||
ipsec start | ||
/testing/pluto/bin/wait-until-pluto-started | ||
ipsec whack --debug-all --impair-retransmits | ||
# give OE policies time to load | ||
sleep 5 | ||
echo "initdone" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# A tunnel should have established with non-zero byte counters | ||
ping -n -c 4 192.1.2.23 | ||
# jacob two two for east? | ||
ipsec whack --trafficstatus | ||
ipsec whack --trafficstatus | ||
ipsec look | ||
# you should see both RSA and NULL | ||
grep IKEv2_AUTH_ /tmp/pluto.log | ||
: ==== cut ==== | ||
ipsec auto --status | ||
: ==== tuc ==== | ||
if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi | ||
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi | ||
: ==== end ==== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
iptables -t nat -F | ||
iptables -F | ||
|
||
ip addr add 192.1.3.130/24 dev eth1 | ||
# Destination NAT to east's address not the port | ||
iptables -t nat -A PREROUTING -d 192.1.3.130 -j DNAT --to-destination 192.1.2.23 |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# our console IPs used with ssh | ||
192.1.2.253 | ||
192.1.3.253 | ||
192.1.3.254 |
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
conn clear | ||
type=passthrough | ||
authby=never | ||
left=%defaultroute | ||
right=%group | ||
auto=route | ||
|
||
conn oe-base-server | ||
type=tunnel | ||
ikev2=insist | ||
also=slow-retransmits | ||
narrowing=yes | ||
# right | ||
rightid=%fromcert | ||
rightrsasigkey=%cert | ||
right=%opportunisticgroup | ||
rightauth=rsasig | ||
# left | ||
leftid=%null | ||
left=%defaultroute | ||
leftauth=null | ||
leftmodecfgclient=yes | ||
leftcat=yes | ||
|
||
conn clear-or-private | ||
also=oe-base-server | ||
failureshunt=passthrough | ||
negotiationshunt=passthrough | ||
auto=add | ||
|
||
conn private-or-clear | ||
also=oe-base-server | ||
failureshunt=passthrough | ||
negotiationshunt=passthrough | ||
auto=route | ||
|
||
conn private | ||
also=oe-base-server | ||
failureshunt=drop | ||
negotiationshunt=drop | ||
auto=route | ||
|
||
conn block | ||
type=reject | ||
authby=never | ||
left=%defaultroute | ||
right=%group | ||
auto=route | ||
|
||
# conn packetdefault is no longer used |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# /etc/ipsec.conf - Libreswan IPsec configuration file | ||
|
||
config setup | ||
logfile=/tmp/pluto.log | ||
logtime=no | ||
logappend=no | ||
dumpdir=/tmp | ||
protostack=netkey | ||
plutodebug=all | ||
|
||
#copied from the test directory | ||
include /etc/ipsec.d/ikev2-oe.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
/testing/guestbin/swan-prep --x509 | ||
certutil -D -n road -d sql:/etc/ipsec.d | ||
certutil -D -n east -d sql:/etc/ipsec.d | ||
cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf | ||
cp policies/* /etc/ipsec.d/policies/ | ||
echo "192.1.3.128/27" >> /etc/ipsec.d/policies/private-or-clear | ||
ipsec start | ||
/testing/pluto/bin/wait-until-pluto-started | ||
ipsec whack --debug-all --impair-retransmits | ||
# ensure for tests acquires expire before our failureshunt=2m | ||
echo 30 > /proc/sys/net/core/xfrm_acq_expires | ||
# give OE policies time to load | ||
sleep 5 | ||
ip -s xfrm monitor > /tmp/xfrm-monitor.out & | ||
echo "initdone" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# one packet, which gets eaten by XFRM, so east does not initiate | ||
ping -n -c 1 -I 192.1.3.209 192.1.3.130 | ||
# wait on OE IKE negotiation | ||
sleep 1 | ||
# should show established tunnel and no bare shunts | ||
ipsec whack --trafficstatus | ||
ipsec whack --shuntstatus | ||
ipsec look | ||
iptables -t nat -L -n | ||
killall ip > /dev/null 2> /dev/null | ||
cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt | ||
# ping should succeed through tunnel | ||
ping -n -c 2 -I 192.1.3.209 192.1.3.130 | ||
echo done |