testing: certoe-12-nat-server

testing/pluto/TESTLIST

@@ -339,6 +339,7 @@ kvmplutotest	certoe-07-nat-2-clients			good
 kvmplutotest	certoe-08-nat-packet-cop-restart	good
 kvmplutotest	certoe-10-symetric-cert-whack		good
 kvmplutotest	certoe-11-symetric-cert-nat		good
+kvmplutotest	certoe-12-nat-server			wip
 
 kvmplutotest	ikev2-initiate-template-01		good
 

testing/pluto/certoe-12-nat-server/description.txt

@@ -0,0 +1 @@
+certificate based oe with destination NAT, east is behind nat.

testing/pluto/certoe-12-nat-server/east-ikev2-oe.conf

@@ -0,0 +1,51 @@
+conn clear
+	type=passthrough
+	authby=never
+	left=%defaultroute
+	right=%group
+	auto=route
+
+conn oe-base-server
+	type=tunnel
+	ikev2=insist
+	also=slow-retransmits
+        narrowing=yes
+	# left
+	left=%defaultroute
+	leftid=%fromcert
+        leftrsasigkey=%cert
+        leftcert=east
+	leftauth=rsasig
+	leftaddresspool=10.0.10.1-10.0.10.200
+        leftcat=yes
+	# right
+	rightid=%null
+	right=%opportunisticgroup
+	rightauth=null
+
+conn clear-or-private
+	also=oe-base-server
+	failureshunt=passthrough
+	negotiationshunt=passthrough
+	auto=add
+
+conn private-or-clear
+	also=oe-base-server
+	failureshunt=passthrough
+	negotiationshunt=passthrough
+	auto=route
+
+conn private
+	also=oe-base-server
+	failureshunt=drop
+	negotiationshunt=drop
+	auto=route
+
+conn block
+	type=reject
+	authby=never
+	left=%defaultroute
+	right=%group
+	auto=route
+
+# conn packetdefault is no longer used

testing/pluto/certoe-12-nat-server/east.conf

@@ -0,0 +1,13 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+config setup
+	logfile=/tmp/pluto.log
+	logtime=no
+	logappend=no
+	dumpdir=/tmp
+	protostack=netkey
+	plutodebug=all
+	uniqueids=no
+
+#copied  from the test directory
+include /etc/ipsec.d/ikev2-oe.conf

testing/pluto/certoe-12-nat-server/eastinit.sh

@@ -0,0 +1,12 @@
+/testing/guestbin/swan-prep  --x509
+certutil -D -n road -d sql:/etc/ipsec.d
+cp east-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
+cp policies/* /etc/ipsec.d/policies/
+echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/clear-or-private
+echo "192.1.3.0/24"  >> /etc/ipsec.d/policies/clear-or-private
+ipsec start
+/testing/pluto/bin/wait-until-pluto-started
+ipsec whack --debug-all --impair-retransmits
+# give OE policies time to load
+sleep 5
+echo "initdone"

testing/pluto/certoe-12-nat-server/final.sh

@@ -0,0 +1,14 @@
+# A tunnel should have established with non-zero byte counters
+ping -n -c 4 192.1.2.23
+# jacob two two for east?
+ipsec whack --trafficstatus 
+ipsec whack --trafficstatus 
+ipsec look
+# you should see both RSA and NULL
+grep IKEv2_AUTH_ /tmp/pluto.log 
+: ==== cut ====
+ipsec auto --status
+: ==== tuc ====
+if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi
+if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+: ==== end ====

testing/pluto/certoe-12-nat-server/nicinit.sh

@@ -0,0 +1,6 @@
+iptables -t nat -F
+iptables -F
+
+ip addr add 192.1.3.130/24 dev eth1
+# Destination NAT to east's address not the port
+iptables -t nat -A PREROUTING -d 192.1.3.130 -j DNAT --to-destination 192.1.2.23

testing/pluto/certoe-12-nat-server/policies/clear

@@ -0,0 +1,4 @@
+# our console IPs used with ssh
+192.1.2.253
+192.1.3.253
+192.1.3.254

testing/pluto/certoe-12-nat-server/road-ikev2-oe.conf

@@ -0,0 +1,50 @@
+conn clear
+	type=passthrough
+	authby=never
+	left=%defaultroute
+	right=%group
+	auto=route
+
+conn oe-base-server
+	type=tunnel
+	ikev2=insist
+	also=slow-retransmits
+	narrowing=yes
+	# right
+	rightid=%fromcert
+        rightrsasigkey=%cert
+	right=%opportunisticgroup
+	rightauth=rsasig
+	# left
+	leftid=%null
+	left=%defaultroute
+	leftauth=null
+	leftmodecfgclient=yes
+	leftcat=yes
+
+conn clear-or-private
+	also=oe-base-server
+	failureshunt=passthrough
+	negotiationshunt=passthrough
+	auto=add
+
+conn private-or-clear
+	also=oe-base-server
+	failureshunt=passthrough
+	negotiationshunt=passthrough
+	auto=route
+
+conn private
+	also=oe-base-server
+	failureshunt=drop
+	negotiationshunt=drop
+	auto=route
+
+conn block
+	type=reject
+	authby=never
+	left=%defaultroute
+	right=%group
+	auto=route
+
+# conn packetdefault is no longer used

testing/pluto/certoe-12-nat-server/road.conf

@@ -0,0 +1,12 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+config setup
+	logfile=/tmp/pluto.log
+	logtime=no
+	logappend=no
+	dumpdir=/tmp
+	protostack=netkey
+	plutodebug=all
+
+#copied  from the test directory
+include /etc/ipsec.d/ikev2-oe.conf

testing/pluto/certoe-12-nat-server/roadinit.sh

@@ -0,0 +1,15 @@
+/testing/guestbin/swan-prep --x509
+certutil -D -n road -d sql:/etc/ipsec.d
+certutil -D -n east -d sql:/etc/ipsec.d
+cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
+cp policies/* /etc/ipsec.d/policies/
+echo "192.1.3.128/27"  >> /etc/ipsec.d/policies/private-or-clear
+ipsec start
+/testing/pluto/bin/wait-until-pluto-started
+ipsec whack --debug-all --impair-retransmits
+# ensure for tests acquires expire before our failureshunt=2m
+echo 30 > /proc/sys/net/core/xfrm_acq_expires
+# give OE policies time to load
+sleep 5
+ip -s xfrm monitor > /tmp/xfrm-monitor.out &
+echo "initdone"

testing/pluto/certoe-12-nat-server/roadrun.sh

@@ -0,0 +1,14 @@
+# one packet, which gets eaten by XFRM, so east does not initiate
+ping -n -c 1 -I 192.1.3.209 192.1.3.130
+# wait on OE IKE negotiation
+sleep 1
+# should show established tunnel and no bare shunts
+ipsec whack --trafficstatus
+ipsec whack --shuntstatus
+ipsec look
+iptables -t nat -L -n
+killall ip > /dev/null 2> /dev/null
+cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt
+# ping should succeed through tunnel
+ping -n -c 2 -I 192.1.3.209 192.1.3.130
+echo done