testing: Converted tnc scenarios to swanctl
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 23 Nov 2015 20:35:16 +0000 (21:35 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Dec 2015 17:26:54 +0000 (18:26 +0100)
392 files changed:
testing/tests/tnc/tnccs-11-fhh/evaltest.dat
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-fhh/posttest.dat
testing/tests/tnc/tnccs-11-fhh/pretest.dat
testing/tests/tnc/tnccs-11-fhh/test.conf
testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-block/posttest.dat
testing/tests/tnc/tnccs-11-radius-block/pretest.dat
testing/tests/tnc/tnccs-11-radius-block/test.conf
testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
testing/tests/tnc/tnccs-11-radius-pts/test.conf
testing/tests/tnc/tnccs-11-radius/evaltest.dat
testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-radius/posttest.dat
testing/tests/tnc/tnccs-11-radius/pretest.dat
testing/tests/tnc/tnccs-11-radius/test.conf
testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules [deleted file]
testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-11-supplicant/test.conf
testing/tests/tnc/tnccs-11/evaltest.dat
testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-11/posttest.dat
testing/tests/tnc/tnccs-11/pretest.dat
testing/tests/tnc/tnccs-11/test.conf
testing/tests/tnc/tnccs-20-block/evaltest.dat
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-block/posttest.dat
testing/tests/tnc/tnccs-20-block/pretest.dat
testing/tests/tnc/tnccs-20-block/test.conf
testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-client-retry/posttest.dat
testing/tests/tnc/tnccs-20-client-retry/pretest.dat
testing/tests/tnc/tnccs-20-client-retry/test.conf
testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fail-init/posttest.dat
testing/tests/tnc/tnccs-20-fail-init/pretest.dat
testing/tests/tnc/tnccs-20-fail-init/test.conf
testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
testing/tests/tnc/tnccs-20-fail-resp/test.conf
testing/tests/tnc/tnccs-20-fhh/evaltest.dat
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon [new file with mode: 0755]
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-fhh/posttest.dat
testing/tests/tnc/tnccs-20-fhh/pretest.dat
testing/tests/tnc/tnccs-20-fhh/test.conf
testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat
testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
testing/tests/tnc/tnccs-20-hcd-eap/test.conf
testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
testing/tests/tnc/tnccs-20-mutual-eap/test.conf
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/posttest.dat
testing/tests/tnc/tnccs-20-os-pts/pretest.dat
testing/tests/tnc/tnccs-20-os-pts/test.conf
testing/tests/tnc/tnccs-20-os/evaltest.dat
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os/posttest.dat
testing/tests/tnc/tnccs-20-os/pretest.dat
testing/tests/tnc/tnccs-20-os/test.conf
testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
testing/tests/tnc/tnccs-20-pdp-eap/test.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
testing/tests/tnc/tnccs-20-pts/evaltest.dat
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts/posttest.dat
testing/tests/tnc/tnccs-20-pts/pretest.dat
testing/tests/tnc/tnccs-20-pts/test.conf
testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-server-retry/posttest.dat
testing/tests/tnc/tnccs-20-server-retry/pretest.dat
testing/tests/tnc/tnccs-20-server-retry/test.conf
testing/tests/tnc/tnccs-20-tls/evaltest.dat
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-tls/posttest.dat
testing/tests/tnc/tnccs-20-tls/pretest.dat
testing/tests/tnc/tnccs-20-tls/test.conf
testing/tests/tnc/tnccs-20/evaltest.dat
testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20/posttest.dat
testing/tests/tnc/tnccs-20/pretest.dat
testing/tests/tnc/tnccs-20/test.conf
testing/tests/tnc/tnccs-dynamic/evaltest.dat
testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-dynamic/posttest.dat
testing/tests/tnc/tnccs-dynamic/pretest.dat
testing/tests/tnc/tnccs-dynamic/test.conf

index 3478c07..039d956 100644 (file)
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index caa5bc1..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index d891a2c..063bb6f 100644 (file)
@@ -1,13 +1,29 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index ba149c4..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index d891a2c..063bb6f 100644 (file)
@@ -1,13 +1,29 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..989ab88
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 0fdad86..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 03f5519..a3d85b0 100644 (file)
@@ -1,10 +1,22 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -17,3 +29,7 @@ charon {
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 1865a1c..770cf6e 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
index d181aab..f0f6446 100644 (file)
@@ -6,11 +6,15 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 moon::expect-connection rw-allow
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index a8a05af..61f2312 100644 (file)
@@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
-
+# charon controlled by swanctl
+#
+SWANCTL=1
index 3f3aa9f..a4939f4 100644 (file)
@@ -1,14 +1,15 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
index 2d49612..c5bde6a 100644 (file)
@@ -15,6 +15,19 @@ session {
 }
 
 post-auth {
+       if (control:TNC-Status == "Access") {
+               update reply {
+                       Tunnel-Type := ESP
+                       Filter-Id := "allow"
+               }
+       }
+       elsif (control:TNC-Status == "Isolate") {
+               update reply {
+                       Tunnel-Type := ESP
+                       Filter-Id := "isolate"
+               }
+       }
+
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
index 06c34ed..7622801 100644 (file)
@@ -1,12 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
-  debug_level = 3
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
+  debug_level = 3 
   assessment_result = no
   plugins {
-    imv-scanner {
-      closed_port_policy = no
-      tcp_ports = 80 443
-     }
+    imv-test {
+      rounds = 1 
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e9152e0..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 927c459..80c96b6 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..ff58c7c
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 25589bc..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 566457d..691cdbc 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -14,6 +27,9 @@ charon {
 
 libimcv {
   plugins {
+    imc-test {
+      command = none
+    }
     imc-scanner {
       push_info = no
     }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..5af2098
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 98e2525..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=pubkey
-       leftfirewall=yes
-       rightauth=eap-radius
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index e86d6aa..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
index fbf1617..71fc7dd 100644 (file)
@@ -1,12 +1,19 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
+      filter_id = yes
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..28b32b7
--- /dev/null
@@ -0,0 +1,27 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+      }
+      children {
+         rw {
+            local_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
index 5e5a851..2989f34 100644 (file)
@@ -1,9 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
index d2bb945..baf8c97 100644 (file)
@@ -1,14 +1,20 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
 alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
index 29bfaa7..8d7f514 100644 (file)
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index 955584b..00fbb20 100644 (file)
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e9152e0..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 3520fd5..978cc66 100644 (file)
@@ -1,21 +1,26 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
     }
   }
-}
-
-libimcv {
   plugins {
-    imc-test {
-      command = allow
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1516ad7
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 25589bc..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index e870608..0bc6e35 100644 (file)
@@ -1,26 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
-
   retransmit_tries = 5
 
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
     }
   }
-}
-
-libimcv {
   plugins {
-    imc-test {
-      command = allow
-    }
-    imc-scanner {
-      push_info = no
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..07b35dc
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 294964f..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=pubkey
-       leftfirewall=yes
-       rightauth=eap-radius
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index e86d6aa..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
index 6e49677..387236e 100644 (file)
@@ -1,12 +1,18 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
       filter_id = yes
     }
   }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..096eb7b
--- /dev/null
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
index 18e0374..db806c3 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 carol::echo 1 > /proc/sys/net/ipv4/ip_forward
index 31ee7d1..c96e063 100644 (file)
@@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
 alice::ipsec attest --sessions
 alice::ipsec attest --devices
index 318dfdf..05d40f9 100644 (file)
@@ -27,3 +27,7 @@ RADIUSHOSTS="alice"
 # Guest instances on which databases are used
 #
 DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
index 955584b..fac1a3c 100644 (file)
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
index 45050f7..7622801 100644 (file)
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3 
   assessment_result = no
   plugins {
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e9152e0..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 927c459..80c96b6 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..ff58c7c
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 25589bc..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 1422c3c..9c6f28f 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..5af2098
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 294964f..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=pubkey
-       leftfirewall=yes
-       rightauth=eap-radius
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index e86d6aa..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
index 6e49677..71fc7dd 100644 (file)
@@ -1,12 +1,18 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
       filter_id = yes
     }
   }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..3caad0c
--- /dev/null
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
index a64a914..2989f34 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 moon::iptables-restore < /etc/iptables.flush
index fcfb145..baf8c97 100644 (file)
@@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
index f23a193..8d7f514 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index 45050f7..7622801 100644 (file)
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3 
   assessment_result = no
   plugins {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index f244559..0000000
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index ddd4956..0000000
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
index 71fbae6..965752b 100644 (file)
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..00ef0f5
--- /dev/null
@@ -0,0 +1 @@
+# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index f244559..0000000
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index ddd4956..0000000
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
index 4ce2769..ca1f7d9 100644 (file)
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..00ef0f5
--- /dev/null
@@ -0,0 +1 @@
+# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 294964f..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=pubkey
-       leftfirewall=yes
-       rightauth=eap-radius
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index e86d6aa..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules
deleted file mode 100644 (file)
index 1eb7553..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
deleted file mode 100644 (file)
index 6e49677..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs 
-      server = PH_IP_ALICE
-      filter_id = yes
-    }
-  }
-}
index f23a193..2069e4a 100644 (file)
@@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="carol dave"
 
 # Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index 3478c07..039d956 100644 (file)
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e2bf349..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 927c459..af30c20 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 77446cb..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 1422c3c..5245362 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..989ab88
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index e21ef0d..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 2ce6fd3..bba631b 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -18,6 +31,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 1865a1c..770cf6e 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
index 8562203..c8ab143 100644 (file)
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index a8a05af..3a66699 100644 (file)
@@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
+
index e0f3d93..29702ba 100644 (file)
@@ -1,12 +1,14 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e2bf349..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 201f6c7..fac3dc0 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..760fca4
--- /dev/null
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 77446cb..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index a255b90..168e4ec 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru, fr, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-scanner {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..5345003
--- /dev/null
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 9aeb02a..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index ee510f1..bb15d3f 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -17,12 +30,6 @@ charon {
   }
 }
 
-libimcv {
-  plugins {
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
-  }
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..e396cd0
--- /dev/null
@@ -0,0 +1,39 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+      }
+      children {
+         rw {
+            local_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 2258e03..770cf6e 100644 (file)
@@ -1,7 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
index c66a2e1..c8ab143 100644 (file)
@@ -1,14 +1,17 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index a8a05af..f6db739 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index c69940c..b5578eb 100644 (file)
@@ -1,19 +1,17 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index a483d6d..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index ea8e626..aceddc3 100644 (file)
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 1137813..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 3a93fc3..7ac1a5d 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru , de, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..989ab88
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index b1093d4..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 009e2ef..a0b8077 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 1865a1c..770cf6e 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
index 8562203..c8ab143 100644 (file)
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index a8a05af..f6db739 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e2bf349..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index fcd2246..0733557 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnccs-20 {
       tests {
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 5044084..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 76f4137..6c1b991 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru, pl  , de
@@ -17,6 +30,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..989ab88
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index e21ef0d..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 9c13fcb..165c5cc 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index b757d8b..770cf6e 100644 (file)
@@ -1,6 +1,6 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
index 8562203..c8ab143 100644 (file)
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index 3c8e399..5131149 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index e2bf349..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index ed6d6f7..56fa7a9 100644 (file)
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index e21ef0d..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 626731f..cb6abf3 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -19,6 +32,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 80ce1a1..9af5f39 100644 (file)
@@ -1,4 +1,4 @@
-carol::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
index e5c2029..3dba1d7 100644 (file)
@@ -2,7 +2,9 @@ moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
index e843074..9141c69 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index c69940c..5b53625 100644 (file)
@@ -1,19 +1,18 @@
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index a483d6d..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftid=carol@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 74942af..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
index 43af0fc..c3338d4 100644 (file)
@@ -1,7 +1,25 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..0f266dd
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 1137813..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftid=dave@strongswan.org
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightauth=any
-       rightsendcert=never
-       rightsubnet=10.1.0.0/16
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 5496df7..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
index 43af0fc..89d9e50 100644 (file)
@@ -1,7 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..989ab88
--- /dev/null
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
new file mode 100755 (executable)
index 0000000..bf3a689
--- /dev/null
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+               || return 1
+       start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS \
+               || return 2
+       # Add code here, if necessary, that waits for the process to be ready
+       # to handle requests from services started subsequently which depend
+       # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+       RETVAL="$?"
+       [ "$RETVAL" = 2 ] && return 2
+       # Wait for children to finish too if this is a daemon that forks
+       # and if the daemon is only ever run from this initscript.
+       # If the above conditions are not satisfied then add some other code
+       # that waits for the process to drop all resources that could be
+       # needed by services started subsequently.  A last resort is to
+       # sleep for some time.
+       start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+       [ "$?" = 2 ] && return 2
+       # Many daemons don't delete their pidfiles when they exit.
+       rm -f $PIDFILE
+       return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       #
+       # If the daemon can reload its configuration without
+       # restarting (for example, when it is sent a SIGHUP),
+       # then implement that here.
+       #
+       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       do_start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       #log_daemon_msg "Reloading $DESC" "$NAME"
+       #do_reload
+       #log_end_msg $?
+       #;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop
+       case "$?" in
+         0|1)
+               do_start
+               case "$?" in
+                       0) log_end_msg 0 ;;
+                       1) log_end_msg 1 ;; # Old process is still running
+                       *) log_end_msg 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1
+               ;;
+       esac
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index b1093d4..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 2"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=eap-ttls
-       leftfirewall=yes
-       rightauth=eap-ttls
-       rightid=*@strongswan.org
-       rightsendcert=never
-       right=%any
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index 2e277cc..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
index 9f3874b..0cd3486 100644 (file)
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..1238c1a
--- /dev/null
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
index 1865a1c..770cf6e 100644 (file)
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
index 39b0e03..f0f6446 100644 (file)
@@ -6,12 +6,15 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::cat /etc/tnc/dummyimv.policy
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 moon::expect-connection rw-allow
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
index a8a05af..f6db739 100644 (file)
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
index 1293e98..90d1922 100644 (file)
@@ -16,4 +16,3 @@ alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*i
 alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
-
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf
deleted file mode 100644 (file)
index f2e6119..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 2, imv 3"
-
-conn aaa
-       leftcert=aaaCert.pem
-       leftid=aaa.strongswan.org
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
deleted file mode 100644 (file)
index 42083c2..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX
-z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii
-95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS
-rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6
-fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR
-dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig
-kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
-Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs
-nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/
-TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2
-FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ
-GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH
-sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73
-xyr/Qw==
------END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
deleted file mode 100644 (file)
index adc47dd..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl
-h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l
-0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a
-VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S
-W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD
-e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k
-nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj
-AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/
-/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs
-P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF
-sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek
-uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj
-PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5
-hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg
-Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+
-Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL
-SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU
-zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH
-xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I
-XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF
-hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9
-AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO
-Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH
-yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5
-9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets
deleted file mode 100644 (file)
index 606e184..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem