charon-tkm: Don't use starter/stroke with charon-tkm anymore
authorTobias Brunner <tobias@strongswan.org>
Tue, 24 Nov 2020 16:33:13 +0000 (17:33 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 11 Jan 2021 14:28:01 +0000 (15:28 +0100)
For the tests, the unused init script that was used before switching to
charon-systemd is repurposed to manage the daemon.

71 files changed:
src/charon-tkm/Makefile.am
testing/hosts/default/etc/init.d/charon [deleted file]
testing/hosts/default/etc/init.d/charon-tkm [new file with mode: 0755]
testing/scripts/recipes/010_tkm.mk
testing/tests/tkm/host2host-initiator/evaltest.dat
testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/host2host-initiator/posttest.dat
testing/tests/tkm/host2host-initiator/pretest.dat
testing/tests/tkm/host2host-initiator/test.conf
testing/tests/tkm/host2host-responder/evaltest.dat
testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/host2host-responder/posttest.dat
testing/tests/tkm/host2host-responder/pretest.dat
testing/tests/tkm/host2host-responder/test.conf
testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/host2host-xfrmproxy/posttest.dat
testing/tests/tkm/host2host-xfrmproxy/pretest.dat
testing/tests/tkm/host2host-xfrmproxy/test.conf
testing/tests/tkm/multiple-clients/evaltest.dat
testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf.in
testing/tests/tkm/multiple-clients/posttest.dat
testing/tests/tkm/multiple-clients/pretest.dat
testing/tests/tkm/multiple-clients/test.conf
testing/tests/tkm/net2net-initiator/evaltest.dat
testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/net2net-initiator/posttest.dat
testing/tests/tkm/net2net-initiator/pretest.dat
testing/tests/tkm/net2net-initiator/test.conf
testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/net2net-xfrmproxy/posttest.dat
testing/tests/tkm/net2net-xfrmproxy/pretest.dat
testing/tests/tkm/net2net-xfrmproxy/test.conf
testing/tests/tkm/xfrmproxy-expire/evaltest.dat
testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/xfrmproxy-expire/posttest.dat
testing/tests/tkm/xfrmproxy-expire/pretest.dat
testing/tests/tkm/xfrmproxy-expire/test.conf
testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf.in
testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tkm/xfrmproxy-rekey/posttest.dat
testing/tests/tkm/xfrmproxy-rekey/pretest.dat
testing/tests/tkm/xfrmproxy-rekey/test.conf

index ad54eaf..4939c07 100644 (file)
@@ -29,7 +29,7 @@ PLUGINS = \
        pem \
        socket-default \
        openssl \
-       stroke
+       vici
 
 all: build_charon
 
diff --git a/testing/hosts/default/etc/init.d/charon b/testing/hosts/default/etc/init.d/charon
deleted file mode 100755 (executable)
index 4776051..0000000
+++ /dev/null
@@ -1,156 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-       # Return
-       #   0 if daemon has been started
-       #   1 if daemon was already running
-       #   2 if daemon could not be started
-       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-               || return 1
-       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-               $DAEMON_ARGS \
-               || return 2
-       # Add code here, if necessary, that waits for the process to be ready
-       # to handle requests from services started subsequently which depend
-       # on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-       # Return
-       #   0 if daemon has been stopped
-       #   1 if daemon was already stopped
-       #   2 if daemon could not be stopped
-       #   other if a failure occurred
-       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-       RETVAL="$?"
-       [ "$RETVAL" = 2 ] && return 2
-       # Wait for children to finish too if this is a daemon that forks
-       # and if the daemon is only ever run from this initscript.
-       # If the above conditions are not satisfied then add some other code
-       # that waits for the process to drop all resources that could be
-       # needed by services started subsequently.  A last resort is to
-       # sleep for some time.
-       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-       [ "$?" = 2 ] && return 2
-       # Many daemons don't delete their pidfiles when they exit.
-       rm -f $PIDFILE
-       return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-       #
-       # If the daemon can reload its configuration without
-       # restarting (for example, when it is sent a SIGHUP),
-       # then implement that here.
-       #
-       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-       return 0
-}
-
-case "$1" in
-  start)
-       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-       do_start
-       case "$?" in
-               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-       esac
-       ;;
-  stop)
-       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-       do_stop
-       case "$?" in
-               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-       esac
-       ;;
-  status)
-       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-       ;;
-  #reload|force-reload)
-       #
-       # If do_reload() is not implemented then leave this commented out
-       # and leave 'force-reload' as an alias for 'restart'.
-       #
-       #log_daemon_msg "Reloading $DESC" "$NAME"
-       #do_reload
-       #log_end_msg $?
-       #;;
-  restart|force-reload)
-       #
-       # If the "reload" option is implemented then remove the
-       # 'force-reload' alias
-       #
-       log_daemon_msg "Restarting $DESC" "$NAME"
-       do_stop
-       case "$?" in
-         0|1)
-               do_start
-               case "$?" in
-                       0) log_end_msg 0 ;;
-                       1) log_end_msg 1 ;; # Old process is still running
-                       *) log_end_msg 1 ;; # Failed to start
-               esac
-               ;;
-         *)
-               # Failed to stop
-               log_end_msg 1
-               ;;
-       esac
-       ;;
-  *)
-       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-       exit 3
-       ;;
-esac
-
-:
diff --git a/testing/hosts/default/etc/init.d/charon-tkm b/testing/hosts/default/etc/init.d/charon-tkm
new file mode 100755 (executable)
index 0000000..fa8b841
--- /dev/null
@@ -0,0 +1,156 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon-tkm
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon-tkm IKE daemon
+# Description:       with swanctl the strongSwan charon-tkm daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="strongSwan charon-tkm IKE daemon"
+NAME=charon-tkm
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon-tkm
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
index 7918485..3505504 100644 (file)
@@ -2,7 +2,7 @@
 
 PKG = tkm
 SRC = https://git.codelabs.ch/git/$(PKG).git
-REV = 8184cc0976a5b00c9d042bef2032223ae261f948
+REV = b99aeb158b7701ea4a77184bff5ff38f8e26013a
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
index 4158625..2ba6e0b 100644 (file)
@@ -1,7 +1,5 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
@@ -11,7 +9,7 @@ moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES
 moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
-moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO
+moon::swanctl --terminate --ike conn1 && sleep 1::no output expected::NO
 moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
 moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index e52a04f..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index f585edf..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..f6de734
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 34037bc..09900dd 100644 (file)
@@ -1,4 +1,4 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index 6be2777..cb5d5b4 100644 (file)
@@ -1,10 +1,10 @@
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
 sun::expect-connection host-host
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-moon::DAEMON_NAME=charon-tkm ipsec up conn1
+moon::expect-connection conn1
+moon::swanctl --initiate --child conn1 2> /dev/null
index 9647dc6..52d886d 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index 2db7757..5f1af74 100644 (file)
@@ -1,7 +1,5 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index 6681dad..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       auto=add
-       type=transport
index f585edf..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..f6de734
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 34037bc..09900dd 100644 (file)
@@ -1,4 +1,4 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index 9f8c7be..fc85d59 100644 (file)
@@ -1,10 +1,10 @@
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
 sun::expect-connection host-host
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-sun::ipsec up host-host
+moon::expect-connection conn1
+sun::swanctl --initiate --child host-host 2> /dev/null
index 9647dc6..52d886d 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index 74203f8..cffacbb 100644 (file)
@@ -1,7 +1,5 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index e52a04f..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index f585edf..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..f6de734
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 99efe7b..2b0442b 100644 (file)
@@ -1,5 +1,5 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall xfrm_proxy
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index 9d2d258..4a00923 100644 (file)
@@ -1,12 +1,12 @@
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
 moon::expect-file /tmp/tkm.rpc.ees
 moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
 sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
index 9647dc6..52d886d 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index 23f6151..52484fc 100644 (file)
@@ -1,11 +1,7 @@
-sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
-sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
-dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
-carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun::  swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.100/32]::YES
+sun::  swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.2/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.2/32]::YES
 carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
@@ -15,7 +11,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
 sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
 sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
 sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
-sun::cat /tmp/tkm.log | grep "Certificate chain of CC context 1 is valid" | wc -l::2::YES
+sun::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2
 sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
 sun::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index 10ee3e8..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn host-host
-       left=PH_IP_CAROL
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       right=PH_IP_SUN
-       rightid=sun.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index 2127105..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..5b23486
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_CAROL
+    remote_addrs = PH_IP_SUN
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = carolCert.pem
+      id = carol@strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = sun.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 6ba0a97..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn host-host
-       left=PH_IP_DAVE
-       leftcert=daveCert.pem
-       leftid=dave@strongswan.org
-       right=PH_IP_SUN
-       rightid=sun.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index 2127105..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..26a2f81
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_DAVE
+    remote_addrs = PH_IP_SUN
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = daveCert.pem
+      id = dave@strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = sun.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
index 9a4a9bc..bbe0530 100644 (file)
@@ -1,5 +1,5 @@
-sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::service charon-tkm stop
 sun::killall tkm_keymanager
 sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
index 16a8ffd..7efe742 100644 (file)
@@ -1,14 +1,14 @@
-sun::rm /etc/ipsec.secrets
-sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-sun::cat /etc/ipsec.conf
+sun::rm /etc/swanctl/rsa/*
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/swanctl/swanctl.conf
 sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 sun::expect-file /tmp/tkm.rpc.ike
-sun::DAEMON_NAME=charon-tkm ipsec start
-carol::ipsec start
+sun::service charon-tkm start
+carol::systemctl start strongswan
 carol::expect-connection host-host
-dave::ipsec start
+dave::systemctl start strongswan
 dave::expect-connection host-host
-sun::DAEMON_NAME=charon-tkm expect-connection conn1
-sun::DAEMON_NAME=charon-tkm expect-connection conn2
-carol::ipsec up host-host
-dave::ipsec up host-host
+sun::expect-connection conn1
+sun::expect-connection conn2
+carol::swanctl --initiate --child host-host 2> /dev/null
+dave::swanctl --initiate --child host-host 2> /dev/null
index 1dd3630..cec3ba2 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="carol dave"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="carol dave sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index f3a06c6..95b3267 100644 (file)
@@ -1,7 +1,5 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
-sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index 21b613d..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       auto=add
index a262950..2e6ff37 100644 (file)
@@ -1,6 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..34124f5
--- /dev/null
@@ -0,0 +1,26 @@
+connections {
+
+  net-net {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      net-net {
+        local_ts = 10.2.0.0/16
+        remote_ts = 10.1.0.0/16
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 34037bc..09900dd 100644 (file)
@@ -1,4 +1,4 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index e30b3b1..6a30f38 100644 (file)
@@ -1,10 +1,10 @@
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
 sun::expect-connection net-net
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-moon::DAEMON_NAME=charon-tkm ipsec up conn1
+moon::expect-connection conn1
+moon::swanctl --initiate --child conn1 2> /dev/null
index afa2acc..87abc76 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index d4befad..45eb4e4 100644 (file)
@@ -1,7 +1,5 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
-sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index bd076cf..b6d0cce 100644 (file)
@@ -11,4 +11,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index 21b613d..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       mobike=no
-
-conn net-net
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       leftsubnet=10.2.0.0/16
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       auto=add
index a262950..2e6ff37 100644 (file)
@@ -1,6 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-  multiple_authentication = no
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..34124f5
--- /dev/null
@@ -0,0 +1,26 @@
+connections {
+
+  net-net {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      net-net {
+        local_ts = 10.2.0.0/16
+        remote_ts = 10.1.0.0/16
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 2454430..2b0442b 100644 (file)
@@ -1,4 +1,5 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
+moon::killall xfrm_proxy
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index d022155..a868e80 100644 (file)
@@ -1,12 +1,12 @@
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
 moon::expect-file /tmp/tkm.rpc.ees
 moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
 sun::expect-connection net-net
-alice::ping -c 3 PH_IP_BOB
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
index afa2acc..87abc76 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index 421924c..3953d20 100644 (file)
@@ -1,8 +1,6 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::sleep 2::wait for rekeying::NO
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::sleep 3::wait for rekeying::NO
 moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
 moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
 moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
@@ -20,7 +18,7 @@ moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
 moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]::2
 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
 moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
 moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
index e9ab536..89731f2 100644 (file)
@@ -13,4 +13,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index e52a04f..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index f585edf..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..f6de734
--- /dev/null
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 99efe7b..2b0442b 100644 (file)
@@ -1,5 +1,5 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall xfrm_proxy
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index 9d2d258..4a00923 100644 (file)
@@ -1,12 +1,12 @@
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
 moon::expect-file /tmp/tkm.rpc.ees
 moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
 sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
index 9647dc6..52d886d 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index fbda21e..fca4778 100644 (file)
@@ -1,8 +1,6 @@
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::sleep 2::wait for rekeying::NO
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::sleep 3::wait for rekeying::NO
 sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
@@ -18,7 +16,7 @@ moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
 moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator FALSE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::2
 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
 moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
 moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
index e9ab536..89731f2 100644 (file)
@@ -13,4 +13,7 @@ charon-tkm {
       fingerprint = CA_SPK_HEX
     }
   }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
 }
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
deleted file mode 100644 (file)
index 9dc6412..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=10s
-       rekeymargin=6s
-       rekeyfuzz=0%
-       keyingtries=1
-       keyexchange=ikev2
-
-conn host-host
-       left=PH_IP_SUN
-       leftcert=sunCert.pem
-       leftid=sun.strongswan.org
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       ike=aes256-sha512-modp4096!
-       esp=aes256-sha512-modp4096!
-       type=transport
-       auto=add
index f585edf..2e6ff37 100644 (file)
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+  load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..eda900f
--- /dev/null
@@ -0,0 +1,28 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_SUN
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = sunCert.pem
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        life_time=10s
+        rekey_time=4s
+        rand_time=0
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
index 99efe7b..2b0442b 100644 (file)
@@ -1,5 +1,5 @@
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
 moon::killall xfrm_proxy
 moon::killall tkm_keymanager
 moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
index 9d2d258..4a00923 100644 (file)
@@ -1,12 +1,12 @@
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
 moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
 moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
 moon::expect-file /tmp/tkm.rpc.ees
 moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
 sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
index 9647dc6..52d886d 100644 (file)
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1