diff --git a/testing/pluto/TESTLIST b/testing/pluto/TESTLIST index 34a25599dad..e664f976cdb 100644 --- a/testing/pluto/TESTLIST +++ b/testing/pluto/TESTLIST @@ -811,6 +811,7 @@ kvmplutotest interop-ikev1-strongswan-08-strongswan-cast good kvmplutotest interop-ikev2-strongswan-02-psk-responder good kvmplutotest interop-ikev2-strongswan-03-psk-initiator good kvmplutotest interop-ikev2-strongswan-04-x509-responder good +kvmplutotest interop-ikev2-strongswan-04-responder-impair good kvmplutotest interop-ikev2-strongswan-05-psk-aes good kvmplutotest interop-ikev2-strongswan-05-psk-md5 good kvmplutotest interop-ikev2-strongswan-06-aes192 good @@ -842,6 +843,8 @@ kvmplutotest interop-ikev2-strongswan-35-rekey-pfs good kvmplutotest interop-ikev2-strongswan-35-rekey-reauth good kvmplutotest interop-ikev2-strongswan-35-responder-rekey-pfs good kvmplutotest interop-ikev2-strongswan-36-esp-gmac-responder good +kvmplutotest interop-ikev2-strongswan-37-initiator-digsig good +kvmplutotest interop-ikev2-strongswan-38-digsig-impair good ################################################################# # DNSSEC tests diff --git a/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt index 336514d5a97..a04e28f6cb5 100644 --- a/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt +++ b/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt @@ -31,13 +31,14 @@ east # grep "negotiated connection" /tmp/pluto.log "clear-or-private#192.1.3.0/24"[1] ...192.1.3.209 #2: negotiated connection [192.1.2.23-192.1.2.23:0-65535 0] -> [192.1.3.209-192.1.3.209:0-65535 0] east # - # you should see only RSA + # you should see only Digital Signatures which supports only RSA now east # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) east # east # ../bin/check-for-core.sh diff --git a/testing/pluto/certoe-10-symetric-cert-whack/final.sh b/testing/pluto/certoe-10-symetric-cert-whack/final.sh index 4e15024e2b3..5eb68656290 100644 --- a/testing/pluto/certoe-10-symetric-cert-whack/final.sh +++ b/testing/pluto/certoe-10-symetric-cert-whack/final.sh @@ -1,7 +1,7 @@ # A tunnel should have established with non-zero byte counters ipsec whack --trafficstatus grep "negotiated connection" /tmp/pluto.log -# you should see only RSA +# you should see only Digital Signatures which supports only RSA now grep IKEv2_AUTH_ OUTPUT/*pluto.log : ==== cut ==== ipsec auto --status diff --git a/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt index 442ff3de8c1..fd4627762b5 100644 --- a/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt +++ b/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt @@ -10,13 +10,14 @@ nic # grep "negotiated connection" /tmp/pluto.log grep: /tmp/pluto.log: No such file or directory nic # - # you should see only RSA + # you should see only Digital Signatures which supports only RSA now nic # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) nic # nic # ../bin/check-for-core.sh diff --git a/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt index 0a22e8934cc..d425c053fc6 100644 --- a/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt +++ b/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt @@ -146,13 +146,14 @@ road # grep "negotiated connection" /tmp/pluto.log "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] road # - # you should see only RSA + # you should see only Digital Signatures which supports only RSA now road # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) road # road # ../bin/check-for-core.sh diff --git a/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt index ca6d3e45f2e..9662788190b 100644 --- a/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt +++ b/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt @@ -31,13 +31,14 @@ east # grep "negotiated connection" /tmp/pluto.log "clear-or-private#192.1.2.254/32"[1] ...192.1.2.254===10.0.10.1/32 #2: negotiated connection [192.1.2.23-192.1.2.23:0-65535 0] -> [10.0.10.1-10.0.10.1:0-65535 0] east # - # you should see only RSA + # you should see only Digital Signatures that currently only supports RSA east # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) east # east # ../bin/check-for-core.sh diff --git a/testing/pluto/certoe-11-symetric-cert-nat/final.sh b/testing/pluto/certoe-11-symetric-cert-nat/final.sh index 4e15024e2b3..0bd7584f889 100644 --- a/testing/pluto/certoe-11-symetric-cert-nat/final.sh +++ b/testing/pluto/certoe-11-symetric-cert-nat/final.sh @@ -1,7 +1,7 @@ # A tunnel should have established with non-zero byte counters ipsec whack --trafficstatus grep "negotiated connection" /tmp/pluto.log -# you should see only RSA +# you should see only Digital Signatures that currently only supports RSA grep IKEv2_AUTH_ OUTPUT/*pluto.log : ==== cut ==== ipsec auto --status diff --git a/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt index e8f689e2745..376a1c7aa66 100644 --- a/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt +++ b/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt @@ -20,13 +20,14 @@ nic # grep "negotiated connection" /tmp/pluto.log grep: /tmp/pluto.log: No such file or directory nic # - # you should see only RSA + # you should see only Digital Signatures that currently only supports RSA nic # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) nic # nic # ../bin/check-for-core.sh diff --git a/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt index e92fe078b71..16c30f59353 100644 --- a/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt +++ b/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt @@ -129,13 +129,14 @@ road # grep "negotiated connection" /tmp/pluto.log "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] road # - # you should see only RSA + # you should see only Digital Signatures that currently only supports RSA road # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) road # road # ../bin/check-for-core.sh diff --git a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt index 964de776193..c8b4e655cda 100644 --- a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt +++ b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt @@ -30,10 +30,11 @@ east # initdone east # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| westnet-eastnet-ikev2 #1 not fetching ipseckey that end rsasigkey != %dnsondemand initiator IKEv2 Auth Method is not IKEv2_AUTH_RSA, IKEv2_AUTH_DIGSIG remote=192.1.2.45 thatid=@west +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) east # east # ../bin/check-for-core.sh diff --git a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt index 203b1a9f5f4..8a43357a09e 100644 --- a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt +++ b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt @@ -77,10 +77,11 @@ west # done west # grep IKEv2_AUTH_ OUTPUT/*pluto.log -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) -OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/east.pluto.log:| westnet-eastnet-ikev2 #1 not fetching ipseckey that end rsasigkey != %dnsondemand initiator IKEv2 Auth Method is not IKEv2_AUTH_RSA, IKEv2_AUTH_DIGSIG remote=192.1.2.45 thatid=@west +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) +OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe) west # west # ../bin/check-for-core.sh diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/description.txt b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/description.txt new file mode 100644 index 00000000000..77eacbcb7f1 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/description.txt @@ -0,0 +1,11 @@ +RFC 7427 : +Basic pluto with IKEv2 using X.509 on the initiator (west), and Strongswan on +the responder (east) with impair. + +Impairment is introduced in such a way that , the Signature hash notification is +not sent. Therefore Authentication method is no longer Digital Signature , but RSA (legacy) + +This case is to be sure that libreswan without Digital Signatures(RFC 7427) ie an older version +can still interop with Strongwan (with Digital Signature implemented) + + diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.conf new file mode 100644 index 00000000000..444893ff095 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - Strongswan IPsec configuration file + +config setup + # setup items now go into strongswan.conf for version 5+ + +conn westnet-eastnet-ikev2 + authby=rsasig + #auto=start + left=192.1.2.45 + leftsubnet=192.0.1.0/24 + leftrsasigkey=%cert + leftcert=/etc/strongswan/ipsec.d/certs/west.crt + leftsendcert=never + leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org" + right=192.1.2.23 + rightsubnet=192.0.2.0/24 + rightrsasigkey=%cert + rightcert=/etc/strongswan/ipsec.d/certs/east.crt + rightsendcert=never + rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org" + # strongswan options + keyexchange=ikev2 + auto=add + fragmentation=yes + +#strongswan cannot include this, due to incompatible options +#include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.console.txt b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.console.txt new file mode 100644 index 00000000000..794d59e0da0 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.console.txt @@ -0,0 +1,22 @@ +setenforce 0 +east # + /testing/guestbin/swan-prep --userland strongswan --x509 +east # + ../../pluto/bin/strongswan-start.sh +east # + echo "initdone" +initdone +east # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +east # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +Security Associations (1 up, 0 connecting): +westnet-eastnet-ikev2[2]: ESTABLISHED XXX second ago, 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org] +westnet-eastnet-ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o +westnet-eastnet-ikev2{1}: 192.0.2.0/24 === 192.0.1.0/24 +east # +east # + ../bin/check-for-core.sh +east # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.secrets b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.secrets new file mode 100644 index 00000000000..495bdae7bcb --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.secrets @@ -0,0 +1 @@ +: RSA /etc/strongswan/ipsec.d/private/east.key "foobar" diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eastinit.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eastinit.sh new file mode 100755 index 00000000000..08800758e10 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eastinit.sh @@ -0,0 +1,4 @@ +setenforce 0 +/testing/guestbin/swan-prep --userland strongswan --x509 +../../pluto/bin/strongswan-start.sh +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eaststrongswan.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eaststrongswan.conf new file mode 100644 index 00000000000..8e5122e4ba5 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eaststrongswan.conf @@ -0,0 +1,39 @@ +# strongswan.conf - strongSwan configuration file + +charon { + + # number of worker threads in charon + threads = 16 + + # send strongswan vendor ID? + # send_vendor_id = yes + + plugins { + + } + + filelog { + /tmp/charon.log { + time_format = %b %e %T + append = no + default = 4 + } + stderr { + ike = 4 + knl = 4 + ike_name = yes + } + } + + +} + +pluto { + +} + +libstrongswan { + + # set to no, the DH exponent size is optimized + # dh_exponent_ansi_x9_42 = no +} diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/final.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/final.sh new file mode 100755 index 00000000000..487265e84d9 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/final.sh @@ -0,0 +1,9 @@ +if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +if [ -f /var/run/charon.pid ]; then strongswan status ; fi +: ==== cut ==== +if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi +if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi +: ==== tuc ==== +../bin/check-for-core.sh +if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi +: ==== end ==== diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/testparams.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/testparams.sh new file mode 100644 index 00000000000..e7f5695788a --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/testparams.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +. ../../default-testparams.sh +EAST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed" diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.conf new file mode 100644 index 00000000000..f85c66ab75a --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - Libreswan IPsec configuration file + +version 2.0 + +config setup + # put the logs in /tmp for the UMLs, so that we can operate + # without syslogd, which seems to break on UMLs + logfile=/tmp/pluto.log + logtime=no + logappend=no + plutodebug=all + plutorestartoncrash=false + dumpdir=/tmp + protostack=netkey + +conn westnet-eastnet-ikev2 + also=slow-retransmits + also=westnet-eastnet-x509 + ikev2=insist + authby=rsasig + leftsendcert=always + rightsendcert=never + + +include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.console.txt b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.console.txt new file mode 100644 index 00000000000..be2ca1fd37f --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.console.txt @@ -0,0 +1,132 @@ +/testing/guestbin/swan-prep --x509 +Preparing X.509 files +west # + # confirm that the network is alive +west # + ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +destination -I 192.0.1.254 192.0.2.254 is alive +west # + # make sure that clear text does not get through +west # + iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +west # + iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +west # + # confirm with a ping +west # + ping -n -c 4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 0 received, 100% packet loss, time XXXX +west # + ipsec start +Redirecting to: systemctl start ipsec.service +west # + /testing/pluto/bin/wait-until-pluto-started +west # + ipsec auto --add westnet-eastnet-ikev2 +002 added connection description "westnet-eastnet-ikev2" +west # + echo "initdone" +initdone +west # + ipsec whack --debug-all --impair-omit-hash-notify +west # + ipsec auto --up westnet-eastnet-ikev2 +002 "westnet-eastnet-ikev2" #1: initiating v2 parent SA +133 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: initiate +002 "westnet-eastnet-ikev2" #1: Impair: Skipping the Signature hash notify in IKE_SA_INIT Request +133 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 +002 "westnet-eastnet-ikev2" #1: Impair: Skipping the Signature hash notify in IKE_SA_INIT Request +133 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 +134 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP3072} +010 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: retransmission; will wait 2000ms for response +010 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: retransmission; will wait 4000ms for response +002 "westnet-eastnet-ikev2" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' +002 "westnet-eastnet-ikev2" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] +004 "westnet-eastnet-ikev2" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive} +west # + ping -n -c4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time XXXX +rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms +west # + ipsec whack --trafficstatus +006 #2: "westnet-eastnet-ikev2", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' +west # + # impair should show SIGNATURE_HASH_ALGORITHMS not to be sent +west # + grep "SIGNATURE_HASH_ALGORITHMS" /tmp/pluto.log +west # + # Expect RSA, not DIGSIG due to the impair of sending support notify +west # + grep "auth method" /tmp/pluto.log +| auth method: IKEv2_AUTH_RSA (0x1) +| auth method: IKEv2_AUTH_RSA (0x1) +west # + echo done +done +west # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +west NOW +XFRM state: +src 192.1.2.23 dst 192.1.2.45 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha256) 0xHASHKEY 128 + enc cbc(aes) 0xENCKEY +src 192.1.2.45 dst 192.1.2.23 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha256) 0xHASHKEY 128 + enc cbc(aes) 0xENCKEY +XFRM policy: +src 192.0.1.0/24 dst 192.0.2.0/24 + dir out priority 2344 ptype main + tmpl src 192.1.2.45 dst 192.1.2.23 + proto esp reqid REQID mode tunnel +src 192.0.2.0/24 dst 192.0.1.0/24 + dir fwd priority 2344 ptype main + tmpl src 192.1.2.23 dst 192.1.2.45 + proto esp reqid REQID mode tunnel +src 192.0.2.0/24 dst 192.0.1.0/24 + dir in priority 2344 ptype main + tmpl src 192.1.2.23 dst 192.1.2.45 + proto esp reqid REQID mode tunnel +XFRM done +IPSEC mangle TABLES +NEW_IPSEC_CONN mangle TABLES +ROUTING TABLES +default via 192.1.2.254 dev eth1 +192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 +192.0.2.0/24 dev eth1 scope link src 192.0.1.254 +192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 +192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 +NSS_CERTIFICATES +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI +Libreswan test CA for mainca - Libreswan CT,, +east P,, +east-ec P,, +hashsha2 P,, +nic P,, +north P,, +road P,, +west u,u,u +west # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +west # +west # + ../bin/check-for-core.sh +west # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westinit.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westinit.sh new file mode 100755 index 00000000000..0d5f0a6f453 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westinit.sh @@ -0,0 +1,12 @@ +/testing/guestbin/swan-prep --x509 +# confirm that the network is alive +../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +# make sure that clear text does not get through +iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +# confirm with a ping +ping -n -c 4 -I 192.0.1.254 192.0.2.254 +ipsec start +/testing/pluto/bin/wait-until-pluto-started +ipsec auto --add westnet-eastnet-ikev2 +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westrun.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westrun.sh new file mode 100755 index 00000000000..198180d9784 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/westrun.sh @@ -0,0 +1,9 @@ +ipsec whack --debug-all --impair-omit-hash-notify +ipsec auto --up westnet-eastnet-ikev2 +ping -n -c4 -I 192.0.1.254 192.0.2.254 +ipsec whack --trafficstatus +# impair should show SIGNATURE_HASH_ALGORITHMS not to be sent +grep "SIGNATURE_HASH_ALGORITHMS" /tmp/pluto.log +# Expect RSA, not DIGSIG due to the impair of sending support notify +grep "auth method" /tmp/pluto.log +echo done diff --git a/testing/pluto/interop-ikev2-strongswan-04-x509-responder/description.txt b/testing/pluto/interop-ikev2-strongswan-04-x509-responder/description.txt index 5fd22128e52..60b7b4bd2ba 100644 --- a/testing/pluto/interop-ikev2-strongswan-04-x509-responder/description.txt +++ b/testing/pluto/interop-ikev2-strongswan-04-x509-responder/description.txt @@ -1,5 +1,9 @@ +RFC 7427: Basic pluto with IKEv2 using X.509 on the initiator (west), and Strongswan on the responder (east). This is the reverse test of interop-ikev2-strongswan-05 +By default the Authentication method now is Digital Signatures. +We currently supoort RSA with SHA1 only. + diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/description.txt b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/description.txt new file mode 100644 index 00000000000..6e411e147e6 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/description.txt @@ -0,0 +1,11 @@ +Basic pluto with IKEv2 using X.509 on the responder (east), and Strongswan on +the initiator (west). + +This is the reverse test of interop-ikev2-strongswan-04-x509-responder + +This is the basic test for Authentication method as Digital Signatures as +specified in RFC 7427. Currently supported for RSA. + +This includes a new notification of type SIGNATURE_HASH_ALGORITHMS. We currently +supoort SHA1 only. + diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.conf b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.conf new file mode 100644 index 00000000000..f80fc05fc42 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - Libreswan IPsec configuration file + +version 2.0 + +config setup + # put the logs in /tmp for the UMLs, so that we can operate + # without syslogd, which seems to break on UMLs + logfile=/tmp/pluto.log + logtime=no + logappend=no + plutodebug=all + plutorestartoncrash=false + dumpdir=/tmp + protostack=netkey + +conn westnet-eastnet-ikev2 + also=westnet-eastnet-x509 + ikev2=insist + authby=rsasig + leftsendcert=always + #leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org" + rightsendcert=never + #rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org" + + +include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.console.txt b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.console.txt new file mode 100644 index 00000000000..6c302c5a1db --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/east.console.txt @@ -0,0 +1,68 @@ +/testing/guestbin/swan-prep --x509 +Preparing X.509 files +east # + ipsec start +Redirecting to: systemctl start ipsec.service +east # + /testing/pluto/bin/wait-until-pluto-started +east # + ipsec auto --add westnet-eastnet-ikev2 +002 added connection description "westnet-eastnet-ikev2" +east # + echo "initdone" +initdone +east # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +east NOW +XFRM state: +src 192.1.2.45 dst 192.1.2.23 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha512) 0xHASHKEY 256 + enc cbc(aes) 0xENCKEY +src 192.1.2.23 dst 192.1.2.45 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha512) 0xHASHKEY 256 + enc cbc(aes) 0xENCKEY +XFRM policy: +src 192.0.1.0/24 dst 192.0.2.0/24 + dir fwd priority 2344 ptype main + tmpl src 192.1.2.45 dst 192.1.2.23 + proto esp reqid REQID mode tunnel +src 192.0.1.0/24 dst 192.0.2.0/24 + dir in priority 2344 ptype main + tmpl src 192.1.2.45 dst 192.1.2.23 + proto esp reqid REQID mode tunnel +src 192.0.2.0/24 dst 192.0.1.0/24 + dir out priority 2344 ptype main + tmpl src 192.1.2.23 dst 192.1.2.45 + proto esp reqid REQID mode tunnel +XFRM done +IPSEC mangle TABLES +NEW_IPSEC_CONN mangle TABLES +ROUTING TABLES +default via 192.1.2.254 dev eth1 +192.0.1.0/24 dev eth1 scope link src 192.0.2.254 +192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 +192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 +192.9.2.0/24 dev eth2 proto kernel scope link src 192.9.2.23 +NSS_CERTIFICATES +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI +Libreswan test CA for mainca - Libreswan CT,, +east u,u,u +hashsha2 P,, +nic P,, +north P,, +road P,, +west P,, +west-ec P,, +east # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +east # +east # + ../bin/check-for-core.sh +east # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/eastinit.sh b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/eastinit.sh new file mode 100755 index 00000000000..ec9125202f7 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/eastinit.sh @@ -0,0 +1,5 @@ +/testing/guestbin/swan-prep --x509 +ipsec start +/testing/pluto/bin/wait-until-pluto-started +ipsec auto --add westnet-eastnet-ikev2 +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/final.sh b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/final.sh new file mode 100755 index 00000000000..487265e84d9 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/final.sh @@ -0,0 +1,9 @@ +if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +if [ -f /var/run/charon.pid ]; then strongswan status ; fi +: ==== cut ==== +if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi +if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi +: ==== tuc ==== +../bin/check-for-core.sh +if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi +: ==== end ==== diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/testparams.sh b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/testparams.sh new file mode 100644 index 00000000000..be06e9b7fc0 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/testparams.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +. ../../default-testparams.sh +WEST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed" diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.conf b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.conf new file mode 100644 index 00000000000..ac4a0f929b7 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - Strongswan IPsec configuration file + +config setup + # setup items now go into strongswan.conf for version 5+ + +conn westnet-eastnet-ikev2 + authby=rsasig + left=192.1.2.45 + leftsubnet=192.0.1.0/24 + leftrsasigkey=%cert + leftcert=/etc/strongswan/ipsec.d/certs/west.crt + leftsendcert=never + leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org" + right=192.1.2.23 + rightsubnet=192.0.2.0/24 + rightrsasigkey=%cert + rightcert=/etc/strongswan/ipsec.d/certs/east.crt + rightsendcert=never + rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org" + # strongswan options + keyexchange=ikev2 + auto=add + fragmentation=yes diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.console.txt b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.console.txt new file mode 100644 index 00000000000..c787a89a6b1 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.console.txt @@ -0,0 +1,99 @@ +/testing/guestbin/swan-prep --userland strongswan --x509 +west # + # confirm that the network is alive +west # + ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +destination -I 192.0.1.254 192.0.2.254 is alive +west # + # make sure that clear text does not get through +west # + iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +west # + iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +west # + # confirm with a ping +west # + ping -n -c 4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 0 received, 100% packet loss, time XXXX +west # + setenforce 0 +west # + ../../pluto/bin/strongswan-start.sh +west # + echo "initdone" +initdone +west # + strongswan up westnet-eastnet-ikev2 +initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23 +generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] +sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) +received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) +parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] +peer didn't accept DH group CURVE_25519, it requested MODP_2048 +initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23 +generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] +sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) +received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) +parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(HASH_ALG) N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] +received cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org" +authentication of 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' (myself) with RSA_EMSA_PKCS1_SHA1 successful +establishing CHILD_SA westnet-eastnet-ikev2 +generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes) +received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes) +parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] + using trusted ca certificate "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org" +checking certificate status of "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org" + requesting ocsp status from 'http://nic.testing.libreswan.org:2560' ... +libcurl request failed [7]: Failed to connect to nic.testing.libreswan.org port 2560: No route to host +ocsp request to http://nic.testing.libreswan.org:2560 failed +ocsp check failed, fallback to crl + fetching crl from 'http://nic.testing.libreswan.org/revoked.crl' ... +libcurl request failed [7]: Failed to connect to nic.testing.libreswan.org port 80: No route to host +crl fetching failed +certificate status is not available + reached self-signed root ca with a path length of 0 + using trusted certificate "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org" +authentication of 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' with RSA_EMSA_PKCS1_SHA1 successful +IKE_SA westnet-eastnet-ikev2[1] established between 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]...192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] +scheduling reauthentication in XXXs +maximum IKE_SA lifetime XXXs +connection 'westnet-eastnet-ikev2' established successfully +west # + ping -n -c4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time XXXX +rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms +west # + # hash algorithm notication should be received +west # + grep SIGNATURE_HASH_ALGO /tmp/charon.log | cut -f 2 -d "]" + received SIGNATURE_HASH_ALGORITHMS notify +west # + echo done +done +west # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +west # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +Security Associations (1 up, 0 connecting): +westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]...192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] +westnet-eastnet-ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o +westnet-eastnet-ikev2{1}: 192.0.1.0/24 === 192.0.2.0/24 +west # +west # + ../bin/check-for-core.sh +west # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.secrets b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.secrets new file mode 100644 index 00000000000..efceb7ca004 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/west.secrets @@ -0,0 +1 @@ +: RSA /etc/strongswan/ipsec.d/private/west.key "foobar" diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westinit.sh b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westinit.sh new file mode 100755 index 00000000000..678c2ba416c --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westinit.sh @@ -0,0 +1,11 @@ +/testing/guestbin/swan-prep --userland strongswan --x509 +# confirm that the network is alive +../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +# make sure that clear text does not get through +iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +# confirm with a ping +ping -n -c 4 -I 192.0.1.254 192.0.2.254 +setenforce 0 +../../pluto/bin/strongswan-start.sh +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westrun.sh b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westrun.sh new file mode 100755 index 00000000000..4e91b474b97 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/westrun.sh @@ -0,0 +1,7 @@ +strongswan up westnet-eastnet-ikev2 +ping -n -c4 -I 192.0.1.254 192.0.2.254 + +# hash algorithm notication should be received +grep SIGNATURE_HASH_ALGO /tmp/charon.log | cut -f 2 -d "]" + +echo done diff --git a/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/weststrongswan.conf b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/weststrongswan.conf new file mode 100644 index 00000000000..8e5122e4ba5 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-37-initiator-digsig/weststrongswan.conf @@ -0,0 +1,39 @@ +# strongswan.conf - strongSwan configuration file + +charon { + + # number of worker threads in charon + threads = 16 + + # send strongswan vendor ID? + # send_vendor_id = yes + + plugins { + + } + + filelog { + /tmp/charon.log { + time_format = %b %e %T + append = no + default = 4 + } + stderr { + ike = 4 + knl = 4 + ike_name = yes + } + } + + +} + +pluto { + +} + +libstrongswan { + + # set to no, the DH exponent size is optimized + # dh_exponent_ansi_x9_42 = no +} diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/description.txt b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/description.txt new file mode 100644 index 00000000000..3c55fa52330 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/description.txt @@ -0,0 +1,13 @@ +RFC 7427 : +Basic pluto with IKEv2 using X.509 on the responder (east), and Strongswan on +the initiator (west) with impairment. + +The impairment is introduced in such a way that we ignore processing the hash notify +we receive from strongswan in IKE_SA_INIT Request. + +This is to ensure that Libreswan with default Authentication type as +Digital Signatures (RFC 7427 )can still interop with an older version of strongswan that does not +support RFC 7427 + + + diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.conf b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.conf new file mode 100644 index 00000000000..f80fc05fc42 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - Libreswan IPsec configuration file + +version 2.0 + +config setup + # put the logs in /tmp for the UMLs, so that we can operate + # without syslogd, which seems to break on UMLs + logfile=/tmp/pluto.log + logtime=no + logappend=no + plutodebug=all + plutorestartoncrash=false + dumpdir=/tmp + protostack=netkey + +conn westnet-eastnet-ikev2 + also=westnet-eastnet-x509 + ikev2=insist + authby=rsasig + leftsendcert=always + #leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org" + rightsendcert=never + #rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org" + + +include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.console.txt b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.console.txt new file mode 100644 index 00000000000..894b7c33db7 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/east.console.txt @@ -0,0 +1,70 @@ +/testing/guestbin/swan-prep --x509 +Preparing X.509 files +east # + ipsec start +Redirecting to: systemctl start ipsec.service +east # + /testing/pluto/bin/wait-until-pluto-started +east # + ipsec auto --add westnet-eastnet-ikev2 +002 added connection description "westnet-eastnet-ikev2" +east # + ipsec whack --debug-all --impair-ignore-hash-notify +east # + echo "initdone" +initdone +east # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +east NOW +XFRM state: +src 192.1.2.45 dst 192.1.2.23 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha512) 0xHASHKEY 256 + enc cbc(aes) 0xENCKEY +src 192.1.2.23 dst 192.1.2.45 + proto esp spi 0xSPISPIXX reqid REQID mode tunnel + replay-window 32 flag af-unspec + auth-trunc hmac(sha512) 0xHASHKEY 256 + enc cbc(aes) 0xENCKEY +XFRM policy: +src 192.0.1.0/24 dst 192.0.2.0/24 + dir fwd priority 2344 ptype main + tmpl src 192.1.2.45 dst 192.1.2.23 + proto esp reqid REQID mode tunnel +src 192.0.1.0/24 dst 192.0.2.0/24 + dir in priority 2344 ptype main + tmpl src 192.1.2.45 dst 192.1.2.23 + proto esp reqid REQID mode tunnel +src 192.0.2.0/24 dst 192.0.1.0/24 + dir out priority 2344 ptype main + tmpl src 192.1.2.23 dst 192.1.2.45 + proto esp reqid REQID mode tunnel +XFRM done +IPSEC mangle TABLES +NEW_IPSEC_CONN mangle TABLES +ROUTING TABLES +default via 192.1.2.254 dev eth1 +192.0.1.0/24 dev eth1 scope link src 192.0.2.254 +192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 +192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 +192.9.2.0/24 dev eth2 proto kernel scope link src 192.9.2.23 +NSS_CERTIFICATES +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI +Libreswan test CA for mainca - Libreswan CT,, +east u,u,u +hashsha2 P,, +nic P,, +north P,, +road P,, +west P,, +west-ec P,, +east # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +east # +east # + ../bin/check-for-core.sh +east # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/eastinit.sh b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/eastinit.sh new file mode 100755 index 00000000000..16154bc27b4 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/eastinit.sh @@ -0,0 +1,6 @@ +/testing/guestbin/swan-prep --x509 +ipsec start +/testing/pluto/bin/wait-until-pluto-started +ipsec auto --add westnet-eastnet-ikev2 +ipsec whack --debug-all --impair-ignore-hash-notify +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/final.sh b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/final.sh new file mode 100755 index 00000000000..487265e84d9 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/final.sh @@ -0,0 +1,9 @@ +if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +if [ -f /var/run/charon.pid ]; then strongswan status ; fi +: ==== cut ==== +if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi +if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi +: ==== tuc ==== +../bin/check-for-core.sh +if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi +: ==== end ==== diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/testparams.sh b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/testparams.sh new file mode 100644 index 00000000000..be06e9b7fc0 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/testparams.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +. ../../default-testparams.sh +WEST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed" diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.conf b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.conf new file mode 100644 index 00000000000..ac4a0f929b7 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - Strongswan IPsec configuration file + +config setup + # setup items now go into strongswan.conf for version 5+ + +conn westnet-eastnet-ikev2 + authby=rsasig + left=192.1.2.45 + leftsubnet=192.0.1.0/24 + leftrsasigkey=%cert + leftcert=/etc/strongswan/ipsec.d/certs/west.crt + leftsendcert=never + leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org" + right=192.1.2.23 + rightsubnet=192.0.2.0/24 + rightrsasigkey=%cert + rightcert=/etc/strongswan/ipsec.d/certs/east.crt + rightsendcert=never + rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org" + # strongswan options + keyexchange=ikev2 + auto=add + fragmentation=yes diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.console.txt b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.console.txt new file mode 100644 index 00000000000..1d24df4b2a5 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.console.txt @@ -0,0 +1,99 @@ +/testing/guestbin/swan-prep --userland strongswan --x509 +west # + # confirm that the network is alive +west # + ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +destination -I 192.0.1.254 192.0.2.254 is alive +west # + # make sure that clear text does not get through +west # + iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +west # + iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +west # + # confirm with a ping +west # + ping -n -c 4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 +[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 0 received, 100% packet loss, time XXXX +west # + setenforce 0 +west # + ../../pluto/bin/strongswan-start.sh +west # + echo "initdone" +initdone +west # + strongswan up westnet-eastnet-ikev2 +initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23 +generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] +sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) +received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) +parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] +peer didn't accept DH group CURVE_25519, it requested MODP_2048 +initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23 +generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] +sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) +received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) +parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] +received cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org" +authentication of 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' (myself) with RSA signature successful +establishing CHILD_SA westnet-eastnet-ikev2 +generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes) +received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes) +parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] + using trusted ca certificate "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org" +checking certificate status of "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org" + requesting ocsp status from 'http://nic.testing.libreswan.org:2560' ... +libcurl request failed [7]: Failed to connect to nic.testing.libreswan.org port 2560: No route to host +ocsp request to http://nic.testing.libreswan.org:2560 failed +ocsp check failed, fallback to crl + fetching crl from 'http://nic.testing.libreswan.org/revoked.crl' ... +libcurl request failed [7]: Failed to connect to nic.testing.libreswan.org port 80: No route to host +crl fetching failed +certificate status is not available + reached self-signed root ca with a path length of 0 + using trusted certificate "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org" +authentication of 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' with RSA signature successful +IKE_SA westnet-eastnet-ikev2[1] established between 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]...192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] +scheduling reauthentication in XXXs +maximum IKE_SA lifetime XXXs +CHILD_SA westnet-eastnet-ikev2{1} established with SPIs SPISPI_i SPISPI_o and TS 192.0.1.0/24 === 192.0.2.0/24 +connection 'westnet-eastnet-ikev2' established successfully +west # + ping -n -c4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms +64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time XXXX +rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms +west # + # hash algorithm notication should not be received due to the impair +west # + grep SIGNATURE_HASH_ALGO /tmp/charon.log | cut -f 2 -d "]" +west # + echo done +done +west # + if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi +west # + if [ -f /var/run/charon.pid ]; then strongswan status ; fi +Security Associations (1 up, 0 connecting): +westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]...192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] +westnet-eastnet-ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o +westnet-eastnet-ikev2{1}: 192.0.1.0/24 === 192.0.2.0/24 +west # +west # + ../bin/check-for-core.sh +west # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi + diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.secrets b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.secrets new file mode 100644 index 00000000000..efceb7ca004 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/west.secrets @@ -0,0 +1 @@ +: RSA /etc/strongswan/ipsec.d/private/west.key "foobar" diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westinit.sh b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westinit.sh new file mode 100755 index 00000000000..678c2ba416c --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westinit.sh @@ -0,0 +1,11 @@ +/testing/guestbin/swan-prep --userland strongswan --x509 +# confirm that the network is alive +../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +# make sure that clear text does not get through +iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +# confirm with a ping +ping -n -c 4 -I 192.0.1.254 192.0.2.254 +setenforce 0 +../../pluto/bin/strongswan-start.sh +echo "initdone" diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westrun.sh b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westrun.sh new file mode 100755 index 00000000000..b3887df6cb0 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/westrun.sh @@ -0,0 +1,7 @@ +strongswan up westnet-eastnet-ikev2 +ping -n -c4 -I 192.0.1.254 192.0.2.254 + +# hash algorithm notication should not be received due to the impair +grep SIGNATURE_HASH_ALGO /tmp/charon.log | cut -f 2 -d "]" + +echo done diff --git a/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/weststrongswan.conf b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/weststrongswan.conf new file mode 100644 index 00000000000..8e5122e4ba5 --- /dev/null +++ b/testing/pluto/interop-ikev2-strongswan-38-digsig-impair/weststrongswan.conf @@ -0,0 +1,39 @@ +# strongswan.conf - strongSwan configuration file + +charon { + + # number of worker threads in charon + threads = 16 + + # send strongswan vendor ID? + # send_vendor_id = yes + + plugins { + + } + + filelog { + /tmp/charon.log { + time_format = %b %e %T + append = no + default = 4 + } + stderr { + ike = 4 + knl = 4 + ike_name = yes + } + } + + +} + +pluto { + +} + +libstrongswan { + + # set to no, the DH exponent size is optimized + # dh_exponent_ansi_x9_42 = no +}