testing: added interop-ikev2-strongswan-36-esp-gmac-responder

testing/pluto/TESTLIST

@@ -841,6 +841,7 @@ kvmplutotest	interop-ikev2-strongswan-35-ipsec-rekey		good
 kvmplutotest	interop-ikev2-strongswan-35-rekey-pfs		good
 kvmplutotest	interop-ikev2-strongswan-35-rekey-reauth	good
 kvmplutotest	interop-ikev2-strongswan-35-responder-rekey-pfs good
+kvmplutotest	interop-ikev2-strongswan-36-esp-gmac-responder	good
 
 #################################################################
 # DNSSEC tests

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/description.txt

@@ -0,0 +1,2 @@
+An interop test of ESP with strongswan as the responder
+using NULL_AES_GMAC

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.conf

@@ -0,0 +1,24 @@
+# /usr/local/strongswan/etc/ipsec.conf - Strongswan IPsec configuration file
+
+config setup
+	# setup items now go into strongswan.conf for version 5+
+
+conn westnet-eastnet-ikev2-esp-null
+	left=192.1.2.45
+	leftid=@west
+	#obsoleted option leftnexthop=192.1.2.23
+	# Right security gateway, subnet behind it, next hop toward left.
+	right=192.1.2.23
+	rightid=@east
+	#obsoleted option rightnexthop=192.1.2.45
+	rightsubnet=192.0.2.0/24
+	leftsubnet=192.0.1.0/24
+	authby=secret
+	keyexchange=ikev2
+	auto=add
+	fragmentation=yes
+	ike=aes-sha1;modp2048
+	esp=aes128gmac
+
+#strongswan cannot include this, due to incompatible options
+#include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.console.txt

@@ -0,0 +1,35 @@
+/testing/guestbin/swan-prep --userland strongswan
+east #
+ ../../pluto/bin/strongswan-start.sh
+east #
+ echo "initdone"
+initdone
+east #
+ if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi
+east #
+ if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi
+Status of IKE charon daemon (strongSwan VERSION):
+  uptime: XXX second, since YYY
+  malloc sbrk XXXXXX,mmap X, used XXXXXX, free XXXXX
+Listening IP addresses:
+  192.0.2.254
+  192.1.2.23
+  192.9.2.23
+Connections:
+westnet-eastnet-ikev2-esp-null:  192.1.2.23...192.1.2.45  IKEv2
+westnet-eastnet-ikev2-esp-null:   local:  [east] uses pre-shared key authentication
+westnet-eastnet-ikev2-esp-null:   remote: [west] uses pre-shared key authentication
+westnet-eastnet-ikev2-esp-null:   child:  192.0.2.0/24 === 192.0.1.0/24 TUNNEL
+Security Associations (1 up, 0 connecting):
+westnet-eastnet-ikev2-esp-null[1]: ESTABLISHED XXX second ago, 192.1.2.23[east]...192.1.2.45[west]
+westnet-eastnet-ikev2-esp-null[1]: IKEv2 SPIs: SPISPI_i SPISPI_r*, pre-shared key reauthentication in 2 hours
+westnet-eastnet-ikev2-esp-null[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+westnet-eastnet-ikev2-esp-null{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
+westnet-eastnet-ikev2-esp-null{1}:  NULL_AES_GMAC_128, XXX bytes_i (XX pkts, XXs ago), XXX bytes_o (XX pkts, XXs ago), rekeying in XX minutes
+westnet-eastnet-ikev2-esp-null{1}:   192.0.2.0/24 === 192.0.1.0/24
+east #
+east #
+ ../bin/check-for-core.sh
+east #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.secrets

@@ -0,0 +1 @@
+@east @west : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/eastinit.sh

@@ -0,0 +1,3 @@
+/testing/guestbin/swan-prep --userland strongswan
+../../pluto/bin/strongswan-start.sh
+echo "initdone"

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/eaststrongswan.conf

@@ -0,0 +1,39 @@
+# strongswan.conf - strongSwan configuration file
+
+charon {
+
+    # number of worker threads in charon
+    threads = 16
+
+    # send strongswan vendor ID?
+    # send_vendor_id = yes
+
+    plugins {
+
+    }
+
+    filelog {
+       /tmp/charon.log {
+	  time_format = %b %e %T
+	  append = no
+	  default = 4
+       }
+       stderr {
+	  ike = 4
+	  knl = 4
+	  ike_name = yes
+       }
+    }
+
+
+}
+
+pluto {
+
+}
+
+libstrongswan {
+
+    #  set to no, the DH exponent size is optimized
+    #  dh_exponent_ansi_x9_42 = no
+}

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/final.sh

@@ -0,0 +1,9 @@
+if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi
+if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi
+: ==== cut ====
+if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi
+if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi
+: ==== tuc ====
+../bin/check-for-core.sh
+if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+: ==== end ====

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/testparams.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+. ../../default-testparams.sh
+EAST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed"

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.conf

@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+version 2.0
+
+config setup
+	# put the logs in /tmp for the UMLs, so that we can operate
+	# without syslogd, which seems to break on UMLs
+	logfile=/tmp/pluto.log
+	logtime=no
+	logappend=no
+	plutodebug=all,crypt
+	plutorestartoncrash=false
+	dumpdir=/tmp
+	protostack=netkey
+
+conn westnet-eastnet-ikev2-esp-null-gmac
+	also=west-east-base-ipv4
+	also=west-east-base-id-psk
+	also=westnet
+	also=eastnet
+	ikev2=insist
+	ike=aes-sha1;modp2048
+	#esp=null_auth_aes_gmac128-null
+	esp=null_auth_aes_gmac-null
+
+include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.console.txt

@@ -0,0 +1,104 @@
+/testing/guestbin/swan-prep
+west #
+ # confirm that the network is alive
+west #
+ ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
+destination -I 192.0.1.254 192.0.2.254 is alive
+west #
+ # make sure that clear text does not get through
+west #
+ iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
+west #
+ iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
+west #
+ # confirm with a ping
+west #
+ ping -n -c 4 -I 192.0.1.254 192.0.2.254
+PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
+[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 
+[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 
+[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 
+[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 
+--- 192.0.2.254 ping statistics ---
+4 packets transmitted, 0 received, 100% packet loss, time XXXX
+west #
+ ipsec start
+Redirecting to: systemctl start ipsec.service
+west #
+ /testing/pluto/bin/wait-until-pluto-started
+west #
+ ipsec auto --add westnet-eastnet-ikev2-esp-null-gmac
+002 added connection description "westnet-eastnet-ikev2-esp-null-gmac"
+west #
+ echo "initdone"
+initdone
+west #
+ ipsec auto --up westnet-eastnet-ikev2-esp-null-gmac
+002 "westnet-eastnet-ikev2-esp-null-gmac" #1: initiating v2 parent SA
+133 "westnet-eastnet-ikev2-esp-null-gmac" #1: STATE_PARENT_I1: initiate
+133 "westnet-eastnet-ikev2-esp-null-gmac" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
+134 "westnet-eastnet-ikev2-esp-null-gmac" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
+002 "westnet-eastnet-ikev2-esp-null-gmac" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
+002 "westnet-eastnet-ikev2-esp-null-gmac" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
+004 "westnet-eastnet-ikev2-esp-null-gmac" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=NULL_AUTH_AES_GMAC_128-NONE NATOA=none NATD=none DPD=passive}
+west #
+ ping -n -c 4 -I 192.0.1.254 192.0.2.254
+PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
+64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
+--- 192.0.2.254 ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time XXXX
+rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
+west #
+ ipsec whack --trafficstatus
+006 #2: "westnet-eastnet-ikev2-esp-null-gmac", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
+west #
+ echo done
+done
+west #
+ if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi
+west NOW
+XFRM state:
+src 192.1.2.23 dst 192.1.2.45
+	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
+	replay-window 32 flag af-unspec
+	aead rfc4543(gcm(aes)) 0xENCAUTHKEY 128
+src 192.1.2.45 dst 192.1.2.23
+	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
+	replay-window 32 flag af-unspec
+	aead rfc4543(gcm(aes)) 0xENCAUTHKEY 128
+XFRM policy:
+src 192.0.1.0/24 dst 192.0.2.0/24 
+	dir out priority 2344 ptype main 
+	tmpl src 192.1.2.45 dst 192.1.2.23
+		proto esp reqid REQID mode tunnel
+src 192.0.2.0/24 dst 192.0.1.0/24 
+	dir fwd priority 2344 ptype main 
+	tmpl src 192.1.2.23 dst 192.1.2.45
+		proto esp reqid REQID mode tunnel
+src 192.0.2.0/24 dst 192.0.1.0/24 
+	dir in priority 2344 ptype main 
+	tmpl src 192.1.2.23 dst 192.1.2.45
+		proto esp reqid REQID mode tunnel
+XFRM done
+IPSEC mangle TABLES
+NEW_IPSEC_CONN mangle TABLES
+ROUTING TABLES
+default via 192.1.2.254 dev eth1 
+192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
+192.0.2.0/24 via 192.1.2.23 dev eth1 
+192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
+192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
+NSS_CERTIFICATES
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+west #
+ if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi
+west #
+west #
+ ../bin/check-for-core.sh
+west #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.secrets

@@ -0,0 +1 @@
+@west @east : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/westinit.sh

@@ -0,0 +1,12 @@
+/testing/guestbin/swan-prep
+# confirm that the network is alive
+../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
+# make sure that clear text does not get through
+iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
+iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
+# confirm with a ping
+ping -n -c 4 -I 192.0.1.254 192.0.2.254
+ipsec start
+/testing/pluto/bin/wait-until-pluto-started
+ipsec auto --add westnet-eastnet-ikev2-esp-null-gmac
+echo "initdone"

testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/westrun.sh

@@ -0,0 +1,4 @@
+ipsec auto --up westnet-eastnet-ikev2-esp-null-gmac
+ping -n -c 4 -I 192.0.1.254 192.0.2.254
+ipsec whack --trafficstatus
+echo done