upgraded openssl-ikev2 scenarios to 5.0.0
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 4 May 2012 10:03:05 +0000 (12:03 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 4 May 2012 10:03:05 +0000 (12:03 +0200)
39 files changed:
testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
testing/tests/openssl-ikev2/critical-extension/evaltest.dat
testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/rw-cert/evaltest.dat
testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf

index f1b3389..3787bdb 100644 (file)
@@ -1,16 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
 
index 62e1810..9ad166e 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -12,7 +10,7 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        ike=blowfish256-sha512-modp2048!
-       esp=blowfish192-sha256!
+       esp=blowfish192-sha384!
 
 conn home
        left=PH_IP_CAROL
index 26f3f3a..eb75305 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -12,7 +10,7 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        ike=blowfish128-sha256-modp1536!
-       esp=blowfish128-sha1!
+       esp=blowfish128-sha256!
 
 conn home
        left=PH_IP_DAVE
index 31a00f7..db92035 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -12,7 +10,7 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-       esp=blowfish192-sha256,blowfish128-sha1!
+       esp=blowfish192-sha384,blowfish128-sha256!
 
 conn rw
        left=PH_IP_MOON
index d77c480..4be554f 100644 (file)
@@ -1,11 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
index 37f8a7e..45ea520 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=yes
        plutostart=no
 
 conn %default
index f8d7e3f..3b0f41f 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=yes
        plutostart=no
 
 conn %default
index 0099364..2540eb1 100644 (file)
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
-dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index 0550a09..850ce23 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -11,7 +9,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+       ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
 
 conn home
        left=PH_IP_CAROL
index b9da84e..bdbdad2 100644 (file)
@@ -3,7 +3,3 @@
 charon {
   load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
-
-libstrongswan {
-  ecp_x_coordinate_only = no
-}
index 22026fc..92f7501 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -11,7 +9,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+       ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
 
 conn home
        left=PH_IP_DAVE
index 01fd353..882b5a2 100644 (file)
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
index ffe13d2..9967312 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index b9da84e..bdbdad2 100644 (file)
@@ -3,7 +3,3 @@
 charon {
   load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
-
-libstrongswan {
-  ecp_x_coordinate_only = no
-}
index e2073d9..f82159e 100644 (file)
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
-dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index 6a15b3f..0e3ef67 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -11,7 +9,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+       ike=aes192-sha384-ecp192,3des-sha256-ecp224!
 
 conn home
        left=PH_IP_CAROL
index b9da84e..bdbdad2 100644 (file)
@@ -3,7 +3,3 @@
 charon {
   load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
-
-libstrongswan {
-  ecp_x_coordinate_only = no
-}
index b4bdf45..cec930c 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -11,7 +9,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+       ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
 
 conn home
        left=PH_IP_DAVE
index 01fd353..882b5a2 100644 (file)
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
index 64ec0f1..3526151 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
@@ -11,7 +9,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+       ike=3des-sha256-ecp224,aes128-sha256-ecp256!
 
 conn rw
        left=PH_IP_MOON
index b9da84e..bdbdad2 100644 (file)
@@ -3,7 +3,3 @@
 charon {
   load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
-
-libstrongswan {
-  ecp_x_coordinate_only = no
-}
index 1c23dca..cc904c8 100644 (file)
@@ -1,6 +1,6 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
index 2e3c9dd..11d2aef 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 19e1971..15ba692 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 868da57..5918faa 100644 (file)
@@ -1,12 +1,17 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index c75d6b2..f666a1c 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 080ce9b..43cd6c3 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index c932101..218b7b8 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 868da57..5291375 100644 (file)
@@ -1,12 +1,13 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index c75d6b2..f666a1c 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 080ce9b..43cd6c3 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index c932101..218b7b8 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 06a0f8c..f8cfb11 100644 (file)
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index 4a8baa3..d3be7aa 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 42f03aa..b2181ee 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 2e84f2e..a0b30f2 100755 (executable)
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-       strictcrlpolicy=no
        plutostart=no
 
 conn %default
index 41ebec3..e476da0 100644 (file)
@@ -1,10 +1,10 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 02ece47..1c78a66 100755 (executable)
@@ -20,6 +20,7 @@ conn home
        leftfirewall=yes
        right=PH_IP_MOON
        rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+       rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
        auto=add
index 2679d4f..6a72f26 100755 (executable)
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-       strictcrlpolicy=no
        plutostart=no
        charondebug="tls 2"