Added libipsec/rw-suite-b scenario
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 1 Jul 2013 09:04:14 +0000 (11:04 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 1 Jul 2013 09:04:14 +0000 (11:04 +0200)
32 files changed:
testing/tests/libipsec/rw-suite-b/description.txt [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/evaltest.dat [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown [new file with mode: 0755]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown [new file with mode: 0755]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown [new file with mode: 0755]
testing/tests/libipsec/rw-suite-b/posttest.dat [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/pretest.dat [new file with mode: 0644]
testing/tests/libipsec/rw-suite-b/test.conf [new file with mode: 0644]

diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644 (file)
index 0000000..a1b0940
--- /dev/null
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644 (file)
index 0000000..855f201
--- /dev/null
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+dave:ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..8106e28
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       ike=aes128gcm128-prfsha256-ecp256!
+       esp=aes128gcm128-ecp256!
+
+conn home
+       left=PH_IP_CAROL
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftsourceip=%config
+       leftupdown=/etc/updown
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644 (file)
index 0000000..3480a43
--- /dev/null
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..a85635f
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644 (file)
index 0000000..d29ddb9
--- /dev/null
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..3d67251
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush
new file mode 100644 (file)
index 0000000..b3ab63c
--- /dev/null
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules
new file mode 100644 (file)
index 0000000..3d99c01
--- /dev/null
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..06bcaa1
--- /dev/null
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755 (executable)
index 0000000..15c2394
--- /dev/null
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])       # Older Pluto?!?  Play it safe, script may be using new features.
+       echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+       echo "$0:       called by obsolete Pluto?" >&2
+       exit 2
+       ;;
+1.*)   ;;
+*)     echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+       exit 2
+       ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')                   # no parameters
+       ;;
+iptables:iptables)     # due to (left/right)firewall; for default script only
+       ;;
+custom:*)              # custom parameters (see above CAUTION comment)
+       ;;
+*)     echo "$0: unknown parameters \`$*'" >&2
+       exit 2
+       ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+       doroute add
+       ip route flush cache
+}
+downroute() {
+       doroute delete
+       ip route flush cache
+}
+
+addsource() {
+       st=0
+       if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+       then
+           it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+           oops="`eval $it 2>&1`"
+           st=$?
+           if test " $oops" = " " -a " $st" != " 0"
+           then
+               oops="silent error, exit status $st"
+           fi
+           if test " $oops" != " " -o " $st" != " 0"
+           then
+               echo "$0: addsource \`$it' failed ($oops)" >&2
+           fi
+       fi
+       return $st
+}
+
+doroute() {
+       st=0
+
+       if [ -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           for dir in /etc/sysconfig /etc/conf.d; do
+               if [ -f "$dir/defaultsource" ]
+               then
+                   . "$dir/defaultsource"
+               fi
+           done
+
+           if [ -n "$DEFAULTSOURCE" ]
+           then
+               PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+           fi
+        fi
+
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # leave because no route entry is required
+           return $st
+       fi
+
+       parms1="$PLUTO_PEER_CLIENT"
+
+       if [ -n "$PLUTO_NEXT_HOP" ]
+       then
+           parms2="via $PLUTO_NEXT_HOP"
+       else
+           parms2="via $PLUTO_PEER"
+       fi
+       parms2="$parms2 dev $PLUTO_INTERFACE"
+
+       parms3=
+       if [ -n "$PLUTO_MY_SOURCEIP" ]
+       then
+           if test "$1" = "add"
+           then
+               addsource
+               if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+               then
+                   ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+               fi
+           fi
+           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+       fi
+
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # opportunistic encryption work around
+               # need to provide route that eclipses default, without
+               # replacing it.
+               it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+                       ip route $1 128.0.0.0/1 $parms2 $parms3"
+               ;;
+       *)      it="ip route $1 $parms1 $parms2 $parms3"
+               ;;
+       esac
+       oops="`eval $it 2>&1`"
+       st=$?
+       if test " $oops" = " " -a " $st" != " 0"
+       then
+           oops="silent error, exit status $st"
+       fi
+       if test " $oops" != " " -o " $st" != " 0"
+       then
+           echo "$0: doroute \`$it' failed ($oops)" >&2
+       fi
+       return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+       KLIPS=1
+       IPSEC_POLICY_IN=""
+       IPSEC_POLICY_OUT=""
+else
+       KLIPS=
+       IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+       IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+       IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+       S_MY_PORT="--sport $PLUTO_MY_PORT"
+       D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # exit because no route will be added,
+           # so that existing routes can stay
+           exit 0
+       fi
+
+       # delete possibly-existing route (preliminary to adding a route)
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # need to provide route that eclipses default, without
+               # replacing it.
+               parms1="0.0.0.0/1"
+               parms2="128.0.0.0/1"
+               it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+               oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+               ;;
+       *)
+               parms="$PLUTO_PEER_CLIENT"
+               it="ip route delete $parms 2>&1"
+               oops="`ip route delete $parms 2>&1`"
+               ;;
+       esac
+       status="$?"
+       if test " $oops" = " " -a " $status" != " 0"
+       then
+               oops="silent error, exit status $status"
+       fi
+       case "$oops" in
+       *'RTNETLINK answers: No such process'*)
+               # This is what route (currently -- not documented!) gives
+               # for "could not find such a route".
+               oops=
+               status=0
+               ;;
+       esac
+       if test " $oops" != " " -o " $status" != " 0"
+       then
+               echo "$0: \`$it' failed ($oops)" >&2
+       fi
+       exit $status
+       ;;
+route-host:*|route-client:*)
+       # connection to me or my client subnet being routed
+       uproute
+       ;;
+unroute-host:*|unroute-client:*)
+       # connection to me or my client subnet being unrouted
+       downroute
+       ;;
+up-host:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+down-host:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+up-client:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+           iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+           iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+down-client:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_MY_CLIENT $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+up-host:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+       ;;
+route-host-v6:*|route-client-v6:*)
+       # connection to me or my client subnet being routed
+       #uproute_v6
+       ;;
+unroute-host-v6:*|unroute-client-v6:*)
+       # connection to me or my client subnet being unrouted
+       #downroute_v6
+       ;;
+up-host-v6:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-host-v6:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-client-v6:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-client-v6:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+*)     echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+       exit 1
+       ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..9b6ca68
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       ike=aes128gcm128-prfsha256-ecp256!
+       esp=aes128gcm128-ecp256!
+
+conn home 
+       left=PH_IP_DAVE
+       leftcert=daveCert.pem
+       leftid=dave@strongswan.org
+       leftsourceip=%config
+       leftupdown=/etc/updown
+       right=PH_IP_MOON
+       rightid=moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644 (file)
index 0000000..3480a43
--- /dev/null
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644 (file)
index 0000000..c83be14
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644 (file)
index 0000000..17e9402
--- /dev/null
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..ebd3a28
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644 (file)
index 0000000..b3ab63c
--- /dev/null
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644 (file)
index 0000000..3d99c01
--- /dev/null
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..06bcaa1
--- /dev/null
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755 (executable)
index 0000000..15c2394
--- /dev/null
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])       # Older Pluto?!?  Play it safe, script may be using new features.
+       echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+       echo "$0:       called by obsolete Pluto?" >&2
+       exit 2
+       ;;
+1.*)   ;;
+*)     echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+       exit 2
+       ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')                   # no parameters
+       ;;
+iptables:iptables)     # due to (left/right)firewall; for default script only
+       ;;
+custom:*)              # custom parameters (see above CAUTION comment)
+       ;;
+*)     echo "$0: unknown parameters \`$*'" >&2
+       exit 2
+       ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+       doroute add
+       ip route flush cache
+}
+downroute() {
+       doroute delete
+       ip route flush cache
+}
+
+addsource() {
+       st=0
+       if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+       then
+           it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+           oops="`eval $it 2>&1`"
+           st=$?
+           if test " $oops" = " " -a " $st" != " 0"
+           then
+               oops="silent error, exit status $st"
+           fi
+           if test " $oops" != " " -o " $st" != " 0"
+           then
+               echo "$0: addsource \`$it' failed ($oops)" >&2
+           fi
+       fi
+       return $st
+}
+
+doroute() {
+       st=0
+
+       if [ -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           for dir in /etc/sysconfig /etc/conf.d; do
+               if [ -f "$dir/defaultsource" ]
+               then
+                   . "$dir/defaultsource"
+               fi
+           done
+
+           if [ -n "$DEFAULTSOURCE" ]
+           then
+               PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+           fi
+        fi
+
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # leave because no route entry is required
+           return $st
+       fi
+
+       parms1="$PLUTO_PEER_CLIENT"
+
+       if [ -n "$PLUTO_NEXT_HOP" ]
+       then
+           parms2="via $PLUTO_NEXT_HOP"
+       else
+           parms2="via $PLUTO_PEER"
+       fi
+       parms2="$parms2 dev $PLUTO_INTERFACE"
+
+       parms3=
+       if [ -n "$PLUTO_MY_SOURCEIP" ]
+       then
+           if test "$1" = "add"
+           then
+               addsource
+               if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+               then
+                   ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+               fi
+           fi
+           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+       fi
+
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # opportunistic encryption work around
+               # need to provide route that eclipses default, without
+               # replacing it.
+               it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+                       ip route $1 128.0.0.0/1 $parms2 $parms3"
+               ;;
+       *)      it="ip route $1 $parms1 $parms2 $parms3"
+               ;;
+       esac
+       oops="`eval $it 2>&1`"
+       st=$?
+       if test " $oops" = " " -a " $st" != " 0"
+       then
+           oops="silent error, exit status $st"
+       fi
+       if test " $oops" != " " -o " $st" != " 0"
+       then
+           echo "$0: doroute \`$it' failed ($oops)" >&2
+       fi
+       return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+       KLIPS=1
+       IPSEC_POLICY_IN=""
+       IPSEC_POLICY_OUT=""
+else
+       KLIPS=
+       IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+       IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+       IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+       S_MY_PORT="--sport $PLUTO_MY_PORT"
+       D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # exit because no route will be added,
+           # so that existing routes can stay
+           exit 0
+       fi
+
+       # delete possibly-existing route (preliminary to adding a route)
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # need to provide route that eclipses default, without
+               # replacing it.
+               parms1="0.0.0.0/1"
+               parms2="128.0.0.0/1"
+               it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+               oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+               ;;
+       *)
+               parms="$PLUTO_PEER_CLIENT"
+               it="ip route delete $parms 2>&1"
+               oops="`ip route delete $parms 2>&1`"
+               ;;
+       esac
+       status="$?"
+       if test " $oops" = " " -a " $status" != " 0"
+       then
+               oops="silent error, exit status $status"
+       fi
+       case "$oops" in
+       *'RTNETLINK answers: No such process'*)
+               # This is what route (currently -- not documented!) gives
+               # for "could not find such a route".
+               oops=
+               status=0
+               ;;
+       esac
+       if test " $oops" != " " -o " $status" != " 0"
+       then
+               echo "$0: \`$it' failed ($oops)" >&2
+       fi
+       exit $status
+       ;;
+route-host:*|route-client:*)
+       # connection to me or my client subnet being routed
+       uproute
+       ;;
+unroute-host:*|unroute-client:*)
+       # connection to me or my client subnet being unrouted
+       downroute
+       ;;
+up-host:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+down-host:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+up-client:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+           iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+           iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+down-client:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_MY_CLIENT $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+up-host:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+       ;;
+route-host-v6:*|route-client-v6:*)
+       # connection to me or my client subnet being routed
+       #uproute_v6
+       ;;
+unroute-host-v6:*|unroute-client-v6:*)
+       # connection to me or my client subnet being unrouted
+       #downroute_v6
+       ;;
+up-host-v6:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-host-v6:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-client-v6:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-client-v6:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+*)     echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+       exit 1
+       ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..7335920
--- /dev/null
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekey=no
+       reauth=no
+       keyexchange=ikev2
+       ike=aes128gcm128-prfsha256-ecp256!
+       esp=aes128gcm128-ecp256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       leftupdown=/etc/updown
+       right=%any
+       rightsourceip=10.3.0.0/24
+       auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644 (file)
index 0000000..3480a43
--- /dev/null
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644 (file)
index 0000000..a3b043e
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644 (file)
index 0000000..5bd2778
--- /dev/null
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..1ef3ecc
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush
new file mode 100644 (file)
index 0000000..b3ab63c
--- /dev/null
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules
new file mode 100644 (file)
index 0000000..cc12d16
--- /dev/null
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..efa0575
--- /dev/null
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755 (executable)
index 0000000..15c2394
--- /dev/null
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])       # Older Pluto?!?  Play it safe, script may be using new features.
+       echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+       echo "$0:       called by obsolete Pluto?" >&2
+       exit 2
+       ;;
+1.*)   ;;
+*)     echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+       exit 2
+       ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')                   # no parameters
+       ;;
+iptables:iptables)     # due to (left/right)firewall; for default script only
+       ;;
+custom:*)              # custom parameters (see above CAUTION comment)
+       ;;
+*)     echo "$0: unknown parameters \`$*'" >&2
+       exit 2
+       ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+       doroute add
+       ip route flush cache
+}
+downroute() {
+       doroute delete
+       ip route flush cache
+}
+
+addsource() {
+       st=0
+       if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+       then
+           it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+           oops="`eval $it 2>&1`"
+           st=$?
+           if test " $oops" = " " -a " $st" != " 0"
+           then
+               oops="silent error, exit status $st"
+           fi
+           if test " $oops" != " " -o " $st" != " 0"
+           then
+               echo "$0: addsource \`$it' failed ($oops)" >&2
+           fi
+       fi
+       return $st
+}
+
+doroute() {
+       st=0
+
+       if [ -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           for dir in /etc/sysconfig /etc/conf.d; do
+               if [ -f "$dir/defaultsource" ]
+               then
+                   . "$dir/defaultsource"
+               fi
+           done
+
+           if [ -n "$DEFAULTSOURCE" ]
+           then
+               PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+           fi
+        fi
+
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # leave because no route entry is required
+           return $st
+       fi
+
+       parms1="$PLUTO_PEER_CLIENT"
+
+       if [ -n "$PLUTO_NEXT_HOP" ]
+       then
+           parms2="via $PLUTO_NEXT_HOP"
+       else
+           parms2="via $PLUTO_PEER"
+       fi
+       parms2="$parms2 dev $PLUTO_INTERFACE"
+
+       parms3=
+       if [ -n "$PLUTO_MY_SOURCEIP" ]
+       then
+           if test "$1" = "add"
+           then
+               addsource
+               if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+               then
+                   ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+               fi
+           fi
+           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+       fi
+
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # opportunistic encryption work around
+               # need to provide route that eclipses default, without
+               # replacing it.
+               it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+                       ip route $1 128.0.0.0/1 $parms2 $parms3"
+               ;;
+       *)      it="ip route $1 $parms1 $parms2 $parms3"
+               ;;
+       esac
+       oops="`eval $it 2>&1`"
+       st=$?
+       if test " $oops" = " " -a " $st" != " 0"
+       then
+           oops="silent error, exit status $st"
+       fi
+       if test " $oops" != " " -o " $st" != " 0"
+       then
+           echo "$0: doroute \`$it' failed ($oops)" >&2
+       fi
+       return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+       KLIPS=1
+       IPSEC_POLICY_IN=""
+       IPSEC_POLICY_OUT=""
+else
+       KLIPS=
+       IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+       IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+       IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+       S_MY_PORT="--sport $PLUTO_MY_PORT"
+       D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # exit because no route will be added,
+           # so that existing routes can stay
+           exit 0
+       fi
+
+       # delete possibly-existing route (preliminary to adding a route)
+       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+       "0.0.0.0/0.0.0.0")
+               # need to provide route that eclipses default, without
+               # replacing it.
+               parms1="0.0.0.0/1"
+               parms2="128.0.0.0/1"
+               it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+               oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+               ;;
+       *)
+               parms="$PLUTO_PEER_CLIENT"
+               it="ip route delete $parms 2>&1"
+               oops="`ip route delete $parms 2>&1`"
+               ;;
+       esac
+       status="$?"
+       if test " $oops" = " " -a " $status" != " 0"
+       then
+               oops="silent error, exit status $status"
+       fi
+       case "$oops" in
+       *'RTNETLINK answers: No such process'*)
+               # This is what route (currently -- not documented!) gives
+               # for "could not find such a route".
+               oops=
+               status=0
+               ;;
+       esac
+       if test " $oops" != " " -o " $status" != " 0"
+       then
+               echo "$0: \`$it' failed ($oops)" >&2
+       fi
+       exit $status
+       ;;
+route-host:*|route-client:*)
+       # connection to me or my client subnet being routed
+       uproute
+       ;;
+unroute-host:*|unroute-client:*)
+       # connection to me or my client subnet being unrouted
+       downroute
+       ;;
+up-host:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+down-host:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       ;;
+up-client:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+           iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+           iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+down-client:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       PLUTO_INTERFACE=ipsec0
+       iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_MY_CLIENT $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+           iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+               -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+               -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+           iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+               -s $PLUTO_MY_CLIENT $S_MY_PORT \
+               -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       fi
+       ;;
+up-host:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+         iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+       ;;
+route-host-v6:*|route-client-v6:*)
+       # connection to me or my client subnet being routed
+       #uproute_v6
+       ;;
+unroute-host-v6:*|unroute-client-v6:*)
+       # connection to me or my client subnet being unrouted
+       #downroute_v6
+       ;;
+up-host-v6:)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-host-v6:)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-client-v6:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+down-client-v6:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+       ;;
+up-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+down-host-v6:iptables)
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+       # log IPsec host connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+up-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection setup
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+down-client-v6:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+         ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+         ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+       fi
+       #
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+         ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+         ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+       #
+       # log IPsec client connection teardown
+       if [ $VPN_LOGGING ]
+       then
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
+       ;;
+*)     echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+       exit 1
+       ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644 (file)
index 0000000..1865a1c
--- /dev/null
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644 (file)
index 0000000..8bbea14
--- /dev/null
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644 (file)
index 0000000..f292988
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"