testing: Add ipv6/rw-compress-ikev2 scenario
authorTobias Brunner <tobias@strongswan.org>
Fri, 8 Nov 2013 11:16:40 +0000 (12:16 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 23 Jan 2014 09:27:13 +0000 (10:27 +0100)
testing/tests/ipv6/rw-compress-ikev2/description.txt [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/evaltest.dat [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/posttest.dat [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/pretest.dat [new file with mode: 0644]
testing/tests/ipv6/rw-compress-ikev2/test.conf [new file with mode: 0644]

diff --git a/testing/tests/ipv6/rw-compress-ikev2/description.txt b/testing/tests/ipv6/rw-compress-ikev2/description.txt
new file mode 100644 (file)
index 0000000..da52957
--- /dev/null
@@ -0,0 +1,10 @@
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two IPv6 ICMP requests from <b>carol</b> to <b>alice</b>
+check the established tunnel with compression. The packet sizes are different
+because the kernel does not compress small packets.<br/>
+<b>Note:</b> The kernel applies IPComp after fragmenting the original packet
+according to the MTU. Also, because <b>alice</b> does not know about the IPsec
+tunnel between <b>moon</b> and <b>carol</b> the response to the first ICMP
+request is fragmented in too large fragments and <b>moon</b> sends back ICMPs
+with type 2 to notify <b>alice</b> about this (Path MTU Discovery).
+The second ping is then answered successfully.
diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
new file mode 100644 (file)
index 0000000..0a0b1a7
--- /dev/null
@@ -0,0 +1,13 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+# send two pings because the first is lost due to Path MTU Discovery between alice and moon
+carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES
+moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..bd9a9e5
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+       cacert=strongswanCert.pem
+       crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+       auto=add
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       compress=yes
+       leftfirewall=yes
+
+conn home
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP6_MOON
+       rightsubnet=fec1::/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..dc93764
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..c4f9b5b
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+       cacert=strongswanCert.pem
+       crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+       auto=add
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       compress=yes
+       leftfirewall=yes
+
+conn rw
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=fec1::/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..dc93764
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat
new file mode 100644 (file)
index 0000000..fdaf440
--- /dev/null
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec0:\:/16 via fec1:\:1"
+carol::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat
new file mode 100644 (file)
index 0000000..3f6427f
--- /dev/null
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+# enable Path MTU Discovery
+moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT
+alice::"ip route add fec0:\:/16 via fec1:\:1"
+carol::"ip route add fec1:\:/16 via fec0:\:1"
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf
new file mode 100644 (file)
index 0000000..4e8d1e9
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+