forked from libreswan/libreswan
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
testing: added interop-ikev2-strongswan-36-esp-gmac-responder
- Loading branch information
Showing
14 changed files
with
265 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/description.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
An interop test of ESP with strongswan as the responder | ||
using NULL_AES_GMAC |
24 changes: 24 additions & 0 deletions
24
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# /usr/local/strongswan/etc/ipsec.conf - Strongswan IPsec configuration file | ||
|
||
config setup | ||
# setup items now go into strongswan.conf for version 5+ | ||
|
||
conn westnet-eastnet-ikev2-esp-null | ||
left=192.1.2.45 | ||
leftid=@west | ||
#obsoleted option leftnexthop=192.1.2.23 | ||
# Right security gateway, subnet behind it, next hop toward left. | ||
right=192.1.2.23 | ||
rightid=@east | ||
#obsoleted option rightnexthop=192.1.2.45 | ||
rightsubnet=192.0.2.0/24 | ||
leftsubnet=192.0.1.0/24 | ||
authby=secret | ||
keyexchange=ikev2 | ||
auto=add | ||
fragmentation=yes | ||
ike=aes-sha1;modp2048 | ||
esp=aes128gmac | ||
|
||
#strongswan cannot include this, due to incompatible options | ||
#include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common |
35 changes: 35 additions & 0 deletions
35
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.console.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/testing/guestbin/swan-prep --userland strongswan | ||
east # | ||
../../pluto/bin/strongswan-start.sh | ||
east # | ||
echo "initdone" | ||
initdone | ||
east # | ||
if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi | ||
east # | ||
if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi | ||
Status of IKE charon daemon (strongSwan VERSION): | ||
uptime: XXX second, since YYY | ||
malloc sbrk XXXXXX,mmap X, used XXXXXX, free XXXXX | ||
Listening IP addresses: | ||
192.0.2.254 | ||
192.1.2.23 | ||
192.9.2.23 | ||
Connections: | ||
westnet-eastnet-ikev2-esp-null: 192.1.2.23...192.1.2.45 IKEv2 | ||
westnet-eastnet-ikev2-esp-null: local: [east] uses pre-shared key authentication | ||
westnet-eastnet-ikev2-esp-null: remote: [west] uses pre-shared key authentication | ||
westnet-eastnet-ikev2-esp-null: child: 192.0.2.0/24 === 192.0.1.0/24 TUNNEL | ||
Security Associations (1 up, 0 connecting): | ||
westnet-eastnet-ikev2-esp-null[1]: ESTABLISHED XXX second ago, 192.1.2.23[east]...192.1.2.45[west] | ||
westnet-eastnet-ikev2-esp-null[1]: IKEv2 SPIs: SPISPI_i SPISPI_r*, pre-shared key reauthentication in 2 hours | ||
westnet-eastnet-ikev2-esp-null[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 | ||
westnet-eastnet-ikev2-esp-null{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o | ||
westnet-eastnet-ikev2-esp-null{1}: NULL_AES_GMAC_128, XXX bytes_i (XX pkts, XXs ago), XXX bytes_o (XX pkts, XXs ago), rekeying in XX minutes | ||
westnet-eastnet-ikev2-esp-null{1}: 192.0.2.0/24 === 192.0.1.0/24 | ||
east # | ||
east # | ||
../bin/check-for-core.sh | ||
east # | ||
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi | ||
|
1 change: 1 addition & 0 deletions
1
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/east.secrets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
@east @west : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" |
3 changes: 3 additions & 0 deletions
3
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/eastinit.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
/testing/guestbin/swan-prep --userland strongswan | ||
../../pluto/bin/strongswan-start.sh | ||
echo "initdone" |
39 changes: 39 additions & 0 deletions
39
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/eaststrongswan.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# strongswan.conf - strongSwan configuration file | ||
|
||
charon { | ||
|
||
# number of worker threads in charon | ||
threads = 16 | ||
|
||
# send strongswan vendor ID? | ||
# send_vendor_id = yes | ||
|
||
plugins { | ||
|
||
} | ||
|
||
filelog { | ||
/tmp/charon.log { | ||
time_format = %b %e %T | ||
append = no | ||
default = 4 | ||
} | ||
stderr { | ||
ike = 4 | ||
knl = 4 | ||
ike_name = yes | ||
} | ||
} | ||
|
||
|
||
} | ||
|
||
pluto { | ||
|
||
} | ||
|
||
libstrongswan { | ||
|
||
# set to no, the DH exponent size is optimized | ||
# dh_exponent_ansi_x9_42 = no | ||
} |
9 changes: 9 additions & 0 deletions
9
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/final.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi | ||
if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi | ||
: ==== cut ==== | ||
if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi | ||
if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi | ||
: ==== tuc ==== | ||
../bin/check-for-core.sh | ||
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi | ||
: ==== end ==== |
4 changes: 4 additions & 0 deletions
4
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/testparams.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/sh | ||
|
||
. ../../default-testparams.sh | ||
EAST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed" |
26 changes: 26 additions & 0 deletions
26
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# /etc/ipsec.conf - Libreswan IPsec configuration file | ||
|
||
version 2.0 | ||
|
||
config setup | ||
# put the logs in /tmp for the UMLs, so that we can operate | ||
# without syslogd, which seems to break on UMLs | ||
logfile=/tmp/pluto.log | ||
logtime=no | ||
logappend=no | ||
plutodebug=all,crypt | ||
plutorestartoncrash=false | ||
dumpdir=/tmp | ||
protostack=netkey | ||
|
||
conn westnet-eastnet-ikev2-esp-null-gmac | ||
also=west-east-base-ipv4 | ||
also=west-east-base-id-psk | ||
also=westnet | ||
also=eastnet | ||
ikev2=insist | ||
ike=aes-sha1;modp2048 | ||
#esp=null_auth_aes_gmac128-null | ||
esp=null_auth_aes_gmac-null | ||
|
||
include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common |
104 changes: 104 additions & 0 deletions
104
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.console.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
/testing/guestbin/swan-prep | ||
west # | ||
# confirm that the network is alive | ||
west # | ||
../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 | ||
destination -I 192.0.1.254 192.0.2.254 is alive | ||
west # | ||
# make sure that clear text does not get through | ||
west # | ||
iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP | ||
west # | ||
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT | ||
west # | ||
# confirm with a ping | ||
west # | ||
ping -n -c 4 -I 192.0.1.254 192.0.2.254 | ||
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. | ||
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 | ||
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 | ||
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 | ||
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 | ||
--- 192.0.2.254 ping statistics --- | ||
4 packets transmitted, 0 received, 100% packet loss, time XXXX | ||
west # | ||
ipsec start | ||
Redirecting to: systemctl start ipsec.service | ||
west # | ||
/testing/pluto/bin/wait-until-pluto-started | ||
west # | ||
ipsec auto --add westnet-eastnet-ikev2-esp-null-gmac | ||
002 added connection description "westnet-eastnet-ikev2-esp-null-gmac" | ||
west # | ||
echo "initdone" | ||
initdone | ||
west # | ||
ipsec auto --up westnet-eastnet-ikev2-esp-null-gmac | ||
002 "westnet-eastnet-ikev2-esp-null-gmac" #1: initiating v2 parent SA | ||
133 "westnet-eastnet-ikev2-esp-null-gmac" #1: STATE_PARENT_I1: initiate | ||
133 "westnet-eastnet-ikev2-esp-null-gmac" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 | ||
134 "westnet-eastnet-ikev2-esp-null-gmac" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048} | ||
002 "westnet-eastnet-ikev2-esp-null-gmac" #2: IKEv2 mode peer ID is ID_FQDN: '@east' | ||
002 "westnet-eastnet-ikev2-esp-null-gmac" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] | ||
004 "westnet-eastnet-ikev2-esp-null-gmac" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=NULL_AUTH_AES_GMAC_128-NONE NATOA=none NATD=none DPD=passive} | ||
west # | ||
ping -n -c 4 -I 192.0.1.254 192.0.2.254 | ||
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. | ||
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms | ||
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms | ||
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms | ||
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms | ||
--- 192.0.2.254 ping statistics --- | ||
4 packets transmitted, 4 received, 0% packet loss, time XXXX | ||
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms | ||
west # | ||
ipsec whack --trafficstatus | ||
006 #2: "westnet-eastnet-ikev2-esp-null-gmac", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east' | ||
west # | ||
echo done | ||
done | ||
west # | ||
if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi | ||
west NOW | ||
XFRM state: | ||
src 192.1.2.23 dst 192.1.2.45 | ||
proto esp spi 0xSPISPIXX reqid REQID mode tunnel | ||
replay-window 32 flag af-unspec | ||
aead rfc4543(gcm(aes)) 0xENCAUTHKEY 128 | ||
src 192.1.2.45 dst 192.1.2.23 | ||
proto esp spi 0xSPISPIXX reqid REQID mode tunnel | ||
replay-window 32 flag af-unspec | ||
aead rfc4543(gcm(aes)) 0xENCAUTHKEY 128 | ||
XFRM policy: | ||
src 192.0.1.0/24 dst 192.0.2.0/24 | ||
dir out priority 2344 ptype main | ||
tmpl src 192.1.2.45 dst 192.1.2.23 | ||
proto esp reqid REQID mode tunnel | ||
src 192.0.2.0/24 dst 192.0.1.0/24 | ||
dir fwd priority 2344 ptype main | ||
tmpl src 192.1.2.23 dst 192.1.2.45 | ||
proto esp reqid REQID mode tunnel | ||
src 192.0.2.0/24 dst 192.0.1.0/24 | ||
dir in priority 2344 ptype main | ||
tmpl src 192.1.2.23 dst 192.1.2.45 | ||
proto esp reqid REQID mode tunnel | ||
XFRM done | ||
IPSEC mangle TABLES | ||
NEW_IPSEC_CONN mangle TABLES | ||
ROUTING TABLES | ||
default via 192.1.2.254 dev eth1 | ||
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 | ||
192.0.2.0/24 via 192.1.2.23 dev eth1 | ||
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 | ||
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 | ||
NSS_CERTIFICATES | ||
Certificate Nickname Trust Attributes | ||
SSL,S/MIME,JAR/XPI | ||
west # | ||
if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi | ||
west # | ||
west # | ||
../bin/check-for-core.sh | ||
west # | ||
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi | ||
|
1 change: 1 addition & 0 deletions
1
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/west.secrets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
@west @east : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" |
12 changes: 12 additions & 0 deletions
12
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/westinit.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/testing/guestbin/swan-prep | ||
# confirm that the network is alive | ||
../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 | ||
# make sure that clear text does not get through | ||
iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP | ||
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT | ||
# confirm with a ping | ||
ping -n -c 4 -I 192.0.1.254 192.0.2.254 | ||
ipsec start | ||
/testing/pluto/bin/wait-until-pluto-started | ||
ipsec auto --add westnet-eastnet-ikev2-esp-null-gmac | ||
echo "initdone" |
4 changes: 4 additions & 0 deletions
4
testing/pluto/interop-ikev2-strongswan-36-esp-gmac-responder/westrun.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
ipsec auto --up westnet-eastnet-ikev2-esp-null-gmac | ||
ping -n -c 4 -I 192.0.1.254 192.0.2.254 | ||
ipsec whack --trafficstatus | ||
echo done |