added bad case dave to ikev2/rw-eap-sim-radius scenario
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 26 Mar 2009 19:45:27 +0000 (19:45 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 26 Mar 2009 19:45:27 +0000 (19:45 -0000)
testing/tests/ikev2/rw-eap-sim-radius/description.txt
testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat [new file with mode: 0644]
testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
testing/tests/ikev2/rw-eap-sim-radius/test.conf

index cbc9ffc..6c3c719 100644 (file)
@@ -4,7 +4,11 @@ an IKEv2 <b>RSA signature</b> accompanied by a certificate.
 <b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
 in association with a <i>GSM Subscriber Identity Module</i>
 (<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b> and
-the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses static triplets.
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the radius server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.  
index 47635fe..cd4b43c 100644 (file)
@@ -2,10 +2,14 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
 carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
+moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
index 8390680..fd0eb19 100644 (file)
@@ -1,3 +1,7 @@
 carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
 carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
 carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
+
index 2af93a3..4f0d40b 100755 (executable)
@@ -13,7 +13,6 @@ conn %default
 
 conn home
        left=PH_IP_CAROL
-       leftnexthop=%direct
        leftid=carol@strongswan.org
        leftfirewall=yes
        right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..511eb61
--- /dev/null
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutostart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       authby=eap
+
+conn home
+       left=PH_IP_DAVE
+       leftid=dave@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644 (file)
index 0000000..a02a42c
--- /dev/null
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..ddd4956
--- /dev/null
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..e238826
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+}
index 920d6a2..dbe5601 100644 (file)
@@ -1,5 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
 alice::/etc/init.d/radiusd stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
index 0a9f418..b3fd4cb 100644 (file)
@@ -1,5 +1,6 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
 alice::cat /etc/raddb/clients.conf
 alice::cat /etc/raddb/eap.conf
 alice::cat /etc/raddb/proxy.conf
@@ -7,6 +8,8 @@ alice::cat /etc/raddb/triplets.dat
 alice::/etc/init.d/radiusd start
 moon::ipsec start
 carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
-carol::sleep 1
+dave::ipsec up home
+dave::sleep 1
index 2bd2149..7041682 100644 (file)
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+UMLHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # UML instances on which tcpdump is to be started
 #
@@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon"
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"