tests with subdirectory structure
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 3 Jul 2006 07:11:30 +0000 (07:11 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 3 Jul 2006 07:11:30 +0000 (07:11 -0000)
607 files changed:
testing/tests/ike/ikev2-ikev1-mixed/description.txt [new file with mode: 0644]
testing/tests/ike/ikev2-ikev1-mixed/evaltest.dat [new file with mode: 0644]
testing/tests/ike/ikev2-ikev1-mixed/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ike/ikev2-ikev1-mixed/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ike/ikev2-ikev1-mixed/posttest.dat [new file with mode: 0644]
testing/tests/ike/ikev2-ikev1-mixed/pretest.dat [new file with mode: 0644]
testing/tests/ike/ikev2-ikev1-mixed/test.conf [new file with mode: 0644]
testing/tests/ikev1/alg-blowfish/description.txt [new file with mode: 0644]
testing/tests/ikev1/alg-blowfish/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-blowfish/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-blowfish/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-blowfish/test.conf [new file with mode: 0644]
testing/tests/ikev1/alg-serpent/description.txt [new file with mode: 0644]
testing/tests/ikev1/alg-serpent/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-serpent/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-serpent/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-serpent/test.conf [new file with mode: 0644]
testing/tests/ikev1/alg-sha2_256/description.txt [new file with mode: 0644]
testing/tests/ikev1/alg-sha2_256/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-sha2_256/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-sha2_256/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-sha2_256/test.conf [new file with mode: 0644]
testing/tests/ikev1/alg-twofish/description.txt [new file with mode: 0644]
testing/tests/ikev1/alg-twofish/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/alg-twofish/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-twofish/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/alg-twofish/test.conf [new file with mode: 0644]
testing/tests/ikev1/attr-cert/description.txt [new file with mode: 0644]
testing/tests/ikev1/attr-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem [new file with mode: 0644]
testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem [new file with mode: 0644]
testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem [new file with mode: 0644]
testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf [new file with mode: 0644]
testing/tests/ikev1/attr-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/attr-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/attr-cert/test.conf [new file with mode: 0644]
testing/tests/ikev1/compress/description.txt [new file with mode: 0644]
testing/tests/ikev1/compress/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/compress/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/compress/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/compress/test.conf [new file with mode: 0644]
testing/tests/ikev1/crl-from-cache/description.txt [new file with mode: 0644]
testing/tests/ikev1/crl-from-cache/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-from-cache/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-from-cache/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-from-cache/test.conf [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/description.txt [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-ldap/test.conf [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/description.txt [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-revoked/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-revoked/test.conf [new file with mode: 0644]
testing/tests/ikev1/crl-strict/description.txt [new file with mode: 0644]
testing/tests/ikev1/crl-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-strict/test.conf [new file with mode: 0644]
testing/tests/ikev1/crl-to-cache/description.txt [new file with mode: 0644]
testing/tests/ikev1/crl-to-cache/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/crl-to-cache/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-to-cache/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/crl-to-cache/test.conf [new file with mode: 0644]
testing/tests/ikev1/default-keys/description.txt [new file with mode: 0644]
testing/tests/ikev1/default-keys/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/default-keys/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/default-keys/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/default-keys/test.conf [new file with mode: 0644]
testing/tests/ikev1/double-nat-net/description.txt [new file with mode: 0644]
testing/tests/ikev1/double-nat-net/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/double-nat-net/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat-net/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat-net/test.conf [new file with mode: 0644]
testing/tests/ikev1/double-nat/description.txt [new file with mode: 0644]
testing/tests/ikev1/double-nat/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/double-nat/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/double-nat/test.conf [new file with mode: 0644]
testing/tests/ikev1/dpd-clear/description.txt [new file with mode: 0644]
testing/tests/ikev1/dpd-clear/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/dpd-clear/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/dpd-clear/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/dpd-clear/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-ah-transport/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-ah-transport/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-ah-transport/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-transport/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-transport/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-ah-tunnel/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-ah-tunnel/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-ah-tunnel/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-tunnel/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-ah-tunnel/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-alg-des/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-alg-des/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-des/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-des/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-des/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-alg-null/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-alg-null/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-null/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-null/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-null/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict-fail/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-strict-fail/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict-fail/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict-fail/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-strict/test.conf [new file with mode: 0644]
testing/tests/ikev1/esp-alg-weak/description.txt [new file with mode: 0644]
testing/tests/ikev1/esp-alg-weak/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/esp-alg-weak/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-weak/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/esp-alg-weak/test.conf [new file with mode: 0644]
testing/tests/ikev1/host2host-cert/description.txt [new file with mode: 0644]
testing/tests/ikev1/host2host-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-cert/test.conf [new file with mode: 0644]
testing/tests/ikev1/host2host-swapped/description.txt [new file with mode: 0644]
testing/tests/ikev1/host2host-swapped/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/host2host-swapped/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-swapped/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-swapped/test.conf [new file with mode: 0644]
testing/tests/ikev1/host2host-transport/description.txt [new file with mode: 0644]
testing/tests/ikev1/host2host-transport/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/host2host-transport/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-transport/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/host2host-transport/test.conf [new file with mode: 0644]
testing/tests/ikev1/ike-alg-sha2_512/description.txt [new file with mode: 0644]
testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-sha2_512/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-sha2_512/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-sha2_512/test.conf [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict-fail/description.txt [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-strict-fail/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict-fail/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict-fail/test.conf [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict/description.txt [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ike-alg-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/ike-alg-strict/test.conf [new file with mode: 0644]
testing/tests/ikev1/mode-config-swapped/description.txt [new file with mode: 0644]
testing/tests/ikev1/mode-config-swapped/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config-swapped/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config-swapped/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config-swapped/test.conf [new file with mode: 0644]
testing/tests/ikev1/mode-config/description.txt [new file with mode: 0644]
testing/tests/ikev1/mode-config/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/mode-config/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/mode-config/test.conf [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/description.txt [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-ldap/test.conf [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/description.txt [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-loop/test.conf [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/description.txt [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-revoked/test.conf [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/description.txt [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca-strict/test.conf [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/description.txt [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/multi-level-ca/test.conf [new file with mode: 0644]
testing/tests/ikev1/nat-one-rw/description.txt [new file with mode: 0644]
testing/tests/ikev1/nat-one-rw/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-one-rw/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-one-rw/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-one-rw/test.conf [new file with mode: 0644]
testing/tests/ikev1/nat-two-rw/description.txt [new file with mode: 0644]
testing/tests/ikev1/nat-two-rw/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-two-rw/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-two-rw/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/nat-two-rw/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-cert/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-cert/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-pgp/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk-fail/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-psk/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-route/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-route/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-route/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-route/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-route/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-rsa/test.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-start/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-start/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/net2net-start/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-start/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-start/test.conf [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/description.txt [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/no-priv-key/test.conf [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/description.txt [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ocsp-revoked/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-revoked/test.conf [new file with mode: 0644]
testing/tests/ikev1/ocsp-strict/description.txt [new file with mode: 0644]
testing/tests/ikev1/ocsp-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/ocsp-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/ocsp-strict/test.conf [new file with mode: 0644]
testing/tests/ikev1/protoport-dual/description.txt [new file with mode: 0644]
testing/tests/ikev1/protoport-dual/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-dual/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-dual/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-dual/test.conf [new file with mode: 0644]
testing/tests/ikev1/protoport-pass/description.txt [new file with mode: 0644]
testing/tests/ikev1/protoport-pass/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-pass/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-pass/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-pass/test.conf [new file with mode: 0644]
testing/tests/ikev1/protoport-route/description.txt [new file with mode: 0644]
testing/tests/ikev1/protoport-route/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/protoport-route/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-route/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/protoport-route/test.conf [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/description.txt [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/req-pkcs10/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-cert/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-cert/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn-named/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-fqdn/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-ipv4/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-no-policy/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-no-policy/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-psk-rsa-mixed/test.conf [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-rsa-no-policy/test.conf [new file with mode: 0644]
testing/tests/ikev1/self-signed/description.txt [new file with mode: 0644]
testing/tests/ikev1/self-signed/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf [new file with mode: 0644]
testing/tests/ikev1/self-signed/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/self-signed/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/self-signed/test.conf [new file with mode: 0644]
testing/tests/ikev1/starter-also-loop/description.txt [new file with mode: 0644]
testing/tests/ikev1/starter-also-loop/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/starter-also-loop/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also-loop/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also-loop/test.conf [new file with mode: 0644]
testing/tests/ikev1/starter-also/description.txt [new file with mode: 0644]
testing/tests/ikev1/starter-also/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/starter-also/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-also/test.conf [new file with mode: 0644]
testing/tests/ikev1/starter-includes/description.txt [new file with mode: 0644]
testing/tests/ikev1/starter-includes/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections [new file with mode: 0644]
testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host [new file with mode: 0755]
testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol [new file with mode: 0644]
testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave [new file with mode: 0644]
testing/tests/ikev1/starter-includes/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-includes/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/starter-includes/test.conf [new file with mode: 0644]
testing/tests/ikev1/virtual-ip-swapped/description.txt [new file with mode: 0644]
testing/tests/ikev1/virtual-ip-swapped/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/virtual-ip-swapped/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip-swapped/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip-swapped/test.conf [new file with mode: 0644]
testing/tests/ikev1/virtual-ip/description.txt [new file with mode: 0644]
testing/tests/ikev1/virtual-ip/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/virtual-ip/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/virtual-ip/test.conf [new file with mode: 0644]
testing/tests/ikev1/wildcards/description.txt [new file with mode: 0644]
testing/tests/ikev1/wildcards/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wildcards/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/wildcards/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/wildcards/test.conf [new file with mode: 0644]
testing/tests/ikev1/wlan/description.txt [new file with mode: 0644]
testing/tests/ikev1/wlan/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev1/wlan/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/wlan/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/wlan/test.conf [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/description.txt [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/crl-revoked/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/test.conf [new file with mode: 0644]
testing/tests/ikev2/crl-strict/description.txt [new file with mode: 0644]
testing/tests/ikev2/crl-strict/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/crl-strict/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-strict/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/crl-strict/test.conf [new file with mode: 0644]
testing/tests/ikev2/default-keys/description.txt [new file with mode: 0644]
testing/tests/ikev2/default-keys/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables [new file with mode: 0755]
testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/default-keys/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/default-keys/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/default-keys/test.conf [new file with mode: 0644]
testing/tests/ikev2/host2host-cert/description.txt [new file with mode: 0644]
testing/tests/ikev2/host2host-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/host2host-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-cert/test.conf [new file with mode: 0644]
testing/tests/ikev2/host2host-swapped/description.txt [new file with mode: 0644]
testing/tests/ikev2/host2host-swapped/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/host2host-swapped/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-swapped/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/host2host-swapped/test.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-cert/description.txt [new file with mode: 0644]
testing/tests/ikev2/net2net-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/net2net-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-cert/test.conf [new file with mode: 0644]
testing/tests/ikev2/rw-cert/description.txt [new file with mode: 0644]
testing/tests/ikev2/rw-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-cert/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-cert/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-cert/test.conf [new file with mode: 0644]
testing/tests/ipv6/host2host-cert/description.txt [new file with mode: 0644]
testing/tests/ipv6/host2host-cert/evaltest.dat [new file with mode: 0644]
testing/tests/ipv6/host2host-cert/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ipv6/host2host-cert/hosts/sun/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ipv6/host2host-cert/posttest.dat [new file with mode: 0644]
testing/tests/ipv6/host2host-cert/pretest.dat [new file with mode: 0644]
testing/tests/ipv6/host2host-cert/test.conf [new file with mode: 0644]

diff --git a/testing/tests/ike/ikev2-ikev1-mixed/description.txt b/testing/tests/ike/ikev2-ikev1-mixed/description.txt
new file mode 100644 (file)
index 0000000..292e09d
--- /dev/null
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv2 key exchange protocol whereas the roadwarrior <b>carol</b>
+negotiates the connection via the IKEv1 protocol.
+In order to test the established tunnels, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and roadwarrior <b>carol</b>
+pings the client <b>alice</b> behind <b>moon</b>.
+.
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/evaltest.dat b/testing/tests/ike/ikev2-ikev1-mixed/evaltest.dat
new file mode 100644 (file)
index 0000000..9227e6e
--- /dev/null
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*IKE_SA_ESTABLISHED::YES
+sun::ipsec statusall::net-net.*IKE_SA_ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ike/ikev2-ikev1-mixed/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..b72a3e9
--- /dev/null
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+
+conn net-net
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       rightsubnet=10.2.0.0/16
+       keyexchange=ikev2
+       auto=add
+
+conn rw
+       right=%any
+       rightid=carol@strongswan.org
+       keyexchange=ikev1
+       auto=add
+
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ike/ikev2-ikev1-mixed/hosts/sun/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..e5a9fe3
--- /dev/null
@@ -0,0 +1,15 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutostart=no
+
+conn net-net 
+       left=PH_IP_SUN
+       leftcert=sunCert.pem
+       leftid=@sun.strongswan.org
+       leftsubnet=10.2.0.0/16
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       keyexchange=ikev2
+       auto=add
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/posttest.dat b/testing/tests/ike/ikev2-ikev1-mixed/posttest.dat
new file mode 100644 (file)
index 0000000..0980371
--- /dev/null
@@ -0,0 +1,3 @@
+carol::ipsec stop
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/pretest.dat b/testing/tests/ike/ikev2-ikev1-mixed/pretest.dat
new file mode 100644 (file)
index 0000000..03b8dc2
--- /dev/null
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+carol::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+carol::ipsec up home
+moon::sleep 1
diff --git a/testing/tests/ike/ikev2-ikev1-mixed/test.conf b/testing/tests/ike/ikev2-ikev1-mixed/test.conf
new file mode 100644 (file)
index 0000000..983881e
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
new file mode 100644 (file)
index 0000000..cff0a19
--- /dev/null
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
new file mode 100644 (file)
index 0000000..a9c9b80
--- /dev/null
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..04d5b97
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=blowfish256-sha2_512-modp4096!
+       esp=blowfish256-sha2_256!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..80163ff
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=blowfish256-sha2_512-modp4096!
+       esp=blowfish256-sha2_256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
new file mode 100644 (file)
index 0000000..6d2eeb5
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt
new file mode 100644 (file)
index 0000000..f49c0a1
--- /dev/null
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat
new file mode 100644 (file)
index 0000000..6b79253
--- /dev/null
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..09cd583
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=serpent256-sha2_512-modp4096!
+       esp=serpent256-sha2_256!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..ca1eb7b
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+       
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=serpent256-sha2_512-modp4096!
+       esp=serpent256-sha2_256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/ikev1/alg-serpent/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/ikev1/alg-serpent/pretest.dat
new file mode 100644 (file)
index 0000000..6d2eeb5
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/ikev1/alg-serpent/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt
new file mode 100644 (file)
index 0000000..900fcf0
--- /dev/null
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the rather strong cipher suite
+<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and 
+<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
new file mode 100644 (file)
index 0000000..9b4caa2
--- /dev/null
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..b10fb08
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=aes128-sha2_256-modp1536!
+       esp=aes128-sha2_256!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..de83272
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha2_256-modp1536!
+       esp=aes128-sha2_256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-sha2_256/posttest.dat b/testing/tests/ikev1/alg-sha2_256/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha2_256/pretest.dat b/testing/tests/ikev1/alg-sha2_256/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha2_256/test.conf b/testing/tests/ikev1/alg-sha2_256/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt
new file mode 100644 (file)
index 0000000..0015561
--- /dev/null
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat
new file mode 100644 (file)
index 0000000..0568eec
--- /dev/null
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..95ddeb2
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=twofish256-sha2_512-modp4096!
+       esp=twofish256-sha2_256!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..2d79045
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=twofish256-sha2_512-modp4096!
+       esp=twofish256-sha2_256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev1/alg-twofish/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt
new file mode 100644 (file)
index 0000000..b7f809c
--- /dev/null
@@ -0,0 +1,7 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
+is granted to members of the group 'Research' whereas <b>venus</b> can only
+be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
+<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
\ No newline at end of file
diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat
new file mode 100644 (file)
index 0000000..59f6eb7
--- /dev/null
@@ -0,0 +1,12 @@
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..eae6696
--- /dev/null
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+
+conn alice
+       rightsubnet=PH_IP_ALICE/32
+       auto=add
+       
+conn venus
+       rightsubnet=PH_IP_VENUS/32
+       auto=add
+
+
+
+
+
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..9897841
--- /dev/null
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_DAVE
+       leftnexthop=%direct
+       leftcert=daveCert.pem
+       leftid=dave@strongswan.org
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+
+conn alice
+       rightsubnet=PH_IP_ALICE/32
+       auto=add
+       
+conn venus
+       rightsubnet=PH_IP_VENUS/32
+       auto=add
+
+
+
+
+
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..6c16db5
--- /dev/null
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+
+conn alice
+       leftsubnet=PH_IP_ALICE/32
+       right=%any
+       rightgroups=Research
+       auto=add
+       
+conn venus
+       leftsubnet=PH_IP_VENUS/32
+       right=%any
+       rightgroups="Accounting, Sales"
+       auto=add
+       
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
new file mode 100644 (file)
index 0000000..3c5c5d9
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
+cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI
+wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6
+dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC
+fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB
+CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf
+NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC
+AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6
+5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
+Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
+QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg
+CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR
+aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY
+ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw
+YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v
+Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov
+wTLSA/z7c8nVCVoZI9Y=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
new file mode 100644 (file)
index 0000000..209b48f
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj
+yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl
+BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf
+jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW
+C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi
+U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs
+cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K
+7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/
+zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2
+nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr
+zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n
+SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W
+G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq
+yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF
+IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO
+18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka
+wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf
+TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB
+mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7
+PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU
++THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS
+4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9
+eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg
+lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro
+n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
new file mode 100644 (file)
index 0000000..8492fbd
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
new file mode 100644 (file)
index 0000000..abd1554
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
+2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
+LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
+RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
+UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
+98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
+8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
+Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
+P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
+UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
+0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
+5qILUTmI
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
new file mode 100644 (file)
index 0000000..134218e
--- /dev/null
@@ -0,0 +1,4 @@
+--cert /etc/ipsec.d/aacerts/aaCert.pem
+--key /etc/openac/aaKey.pem
+--quiet
+--hours 8
diff --git a/testing/tests/ikev1/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat
new file mode 100644 (file)
index 0000000..a59c3ff
--- /dev/null
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/openac/*
+moon::rm /etc/ipsec.d/aacerts/aaCert.pem
+moon::rm /etc/ipsec.d/acerts/*
diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat
new file mode 100644 (file)
index 0000000..b3fecaf
--- /dev/null
@@ -0,0 +1,12 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::cat /etc/openac/default.conf
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/ikev1/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf
new file mode 100644 (file)
index 0000000..08e5cc1
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/compress/description.txt b/testing/tests/ikev1/compress/description.txt
new file mode 100644 (file)
index 0000000..4782983
--- /dev/null
@@ -0,0 +1,3 @@
+This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
+the established tunnel with compression.
diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat
new file mode 100644 (file)
index 0000000..ff72e17
--- /dev/null
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::policy.*COMPRESS::YES
+carol::ipsec statusall::policy.*COMPRESS::YES
+moon::ipsec statusall::comp.::YES
+carol::ipsec statusall::comp.::YES
+carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..abf3049
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       compress=yes
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..855718f
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       compress=yes
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/compress/posttest.dat b/testing/tests/ikev1/compress/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
new file mode 100644 (file)
index 0000000..fd33cfb
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt
new file mode 100644 (file)
index 0000000..17866f5
--- /dev/null
@@ -0,0 +1,5 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
+an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
+their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
+the certificate received from their peer.
diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat
new file mode 100644 (file)
index 0000000..dd200c8
--- /dev/null
@@ -0,0 +1,10 @@
+moon::cat /var/log/auth.log::loaded crl file::YES
+carol::cat /var/log/auth.log::loaded crl file::YES
+moon::cat /var/log/auth.log::X.509 certificate rejected::NO
+carol::cat /var/log/auth.log::X.509 certificate rejected::NO
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file::NO
+carol::cat /var/log/auth.log::written crl file::NO
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..59cbe67
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       cachecrls=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+
+conn home
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..9a2efb7
--- /dev/null
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       cachecrls=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+
+conn net-net
+       leftsubnet=10.1.0.0/16
+       right=PH_IP_SUN
+       rightsubnet=10.2.0.0/16
+       rightid=@sun.strongswan.org
+       auto=add
+        
+conn host-host
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       auto=add
+
+conn rw
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat
new file mode 100644 (file)
index 0000000..be17847
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat
new file mode 100644 (file)
index 0000000..acdb265
--- /dev/null
@@ -0,0 +1,8 @@
+moon::wget -q http://crl.strongswan.org/strongswan.crl
+moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+carol::wget -q http://crl.strongswan.org/strongswan.crl
+carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt
new file mode 100644 (file)
index 0000000..02dc0cb
--- /dev/null
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
+available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
+because the web server is currently not reachable. Thus the second Main Mode negotiation
+fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
+is triggered. When the third Main Mode trial comes around, the fetched CRL has become
+available and the IKE negotiation completes. The new CRL is again cached locally as a
+file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
new file mode 100644 (file)
index 0000000..2b98e08
--- /dev/null
@@ -0,0 +1,16 @@
+moon::cat /var/log/auth.log::loaded crl file::YES
+carol::cat /var/log/auth.log::loaded crl file::YES
+moon::cat /var/log/auth.log::crl update is overdue::YES
+carol::cat /var/log/auth.log::crl update is overdue::YES
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::cat /var/log/auth.log::Trying LDAP URL::YES
+carol::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file::YES
+carol::cat /var/log/auth.log::written crl file::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..571459b
--- /dev/null
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+       # allow esp
+       iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow ldap crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..40e32f1
--- /dev/null
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       cachecrls=yes
+       charonstart=no
+
+ca strongswan
+       cacert=strongswanCert.pem
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       auto=add
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=2
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644 (file)
index 0000000..75e8b09
Binary files /dev/null and b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..8de514a
--- /dev/null
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # enable IP forwarding
+       echo 1 > /proc/sys/net/ipv4/ip_forward
+       
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+       # allow esp
+       iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow ldap crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..eaaaa3f
--- /dev/null
@@ -0,0 +1,41 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       cachecrls=yes
+       charonstart=no
+
+ca strongswan
+       cacert=strongswanCert.pem
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       auto=add
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=2
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftfirewall=yes
+
+conn net-net
+       leftsubnet=10.1.0.0/16
+       right=PH_IP_SUN
+       rightsubnet=10.2.0.0/16
+       rightid=@sun.strongswan.org
+       auto=add
+        
+conn host-host
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       auto=add
+
+conn rw
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644 (file)
index 0000000..75e8b09
Binary files /dev/null and b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ
diff --git a/testing/tests/ikev1/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat
new file mode 100644 (file)
index 0000000..04f7623
--- /dev/null
@@ -0,0 +1,9 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat
new file mode 100644 (file)
index 0000000..64fae2a
--- /dev/null
@@ -0,0 +1,7 @@
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt
new file mode 100644 (file)
index 0000000..780068c
--- /dev/null
@@ -0,0 +1,7 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current CRL is available, the Main Mode negotiation fails
+and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
+When the second Main Mode trial comes around the fetched CRL will be available
+but because the certificate presented by carol has been revoked,
+the IKE negotatiation will fail.
diff --git a/testing/tests/ikev1/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat
new file mode 100644 (file)
index 0000000..0fd1cae
--- /dev/null
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::certificate was revoked::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..6b4650f
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolRevokedCert.pem
+       leftid=carol@strongswan.org
+
+conn home
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644 (file)
index 0000000..5b742fc
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644 (file)
index 0000000..8aefcc5
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..8e31be4
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..143bace
--- /dev/null
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+
+conn net-net
+       leftsubnet=10.1.0.0/16
+       right=PH_IP_SUN
+       rightsubnet=10.2.0.0/16
+       rightid=@sun.strongswan.org
+       auto=add
+        
+conn host-host
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       auto=add
+
+conn rw
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat
new file mode 100644 (file)
index 0000000..d742e84
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat
new file mode 100644 (file)
index 0000000..d92333d
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt
new file mode 100644 (file)
index 0000000..9701148
--- /dev/null
@@ -0,0 +1,6 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current CRL is available, the Main Mode negotiation fails
+but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
+When the second Main Mode trial comes around, the fetched CRL will be available
+and the IKE negotiation completes.
diff --git a/testing/tests/ikev1/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat
new file mode 100644 (file)
index 0000000..1d7adb0
--- /dev/null
@@ -0,0 +1,8 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..93bd807
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+
+conn home
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..143bace
--- /dev/null
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+
+conn net-net
+       leftsubnet=10.1.0.0/16
+       right=PH_IP_SUN
+       rightsubnet=10.2.0.0/16
+       rightid=@sun.strongswan.org
+       auto=add
+        
+conn host-host
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       auto=add
+
+conn rw
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/crl-strict/posttest.dat b/testing/tests/ikev1/crl-strict/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/crl-strict/pretest.dat b/testing/tests/ikev1/crl-strict/pretest.dat
new file mode 100644 (file)
index 0000000..d92333d
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt
new file mode 100644 (file)
index 0000000..9f542e7
--- /dev/null
@@ -0,0 +1,6 @@
+By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
+via http from the web server <b>winnetou</b> is saved locally in the
+directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
+and the gateway <b>moon</b> when the IPsec connection is set up. The
+<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
+is used as a unique filename for the cached CRL. 
diff --git a/testing/tests/ikev1/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat
new file mode 100644 (file)
index 0000000..be77371
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..e64a8fb
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       cachecrls=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+
+conn home
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..666fc06
--- /dev/null
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       cachecrls=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+
+conn rw
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat
new file mode 100644 (file)
index 0000000..be17847
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat
new file mode 100644 (file)
index 0000000..d92333d
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt
new file mode 100644 (file)
index 0000000..639e909
--- /dev/null
@@ -0,0 +1,8 @@
+Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
+and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
+and a self-signed X.509 certificate. Because the UML testing environment does
+not offer enough entropy, the non-blocking /dev/urandom device is used in place
+of /dev/random for generating the random primes.
+<p>
+The self-signed certificates are then distributed to the peers via scp
+and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/default-keys/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat
new file mode 100644 (file)
index 0000000..a18e399
--- /dev/null
@@ -0,0 +1,9 @@
+carol::cat /var/log/auth.log::scepclient::YES
+moon::cat /var/log/auth.log::scepclient::YES
+carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
+moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..0ec9d47
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=0
+       strictcrlpolicy=no
+       nocrsend=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=selfCert.der
+       leftsendcert=never
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightcert=peerCert.der
+       auto=add
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..13ad306
--- /dev/null
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # enable IP forwarding
+       echo 1 > /proc/sys/net/ipv4/ip_forward
+       
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+       # allow esp
+       iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..ed1b405
--- /dev/null
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=0
+       strictcrlpolicy=no
+       nocrsend=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn carol
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=selfCert.der
+       leftsendcert=never
+       leftfirewall=yes
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightcert=peerCert.der
+       auto=add
+
diff --git a/testing/tests/ikev1/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat
new file mode 100644 (file)
index 0000000..52b48b9
--- /dev/null
@@ -0,0 +1,10 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat
new file mode 100644 (file)
index 0000000..54f70cb
--- /dev/null
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.secrets
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+moon::sleep 4 
+moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
+moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
+moon::ipsec reload 
+carol::ipsec reload 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf
new file mode 100644 (file)
index 0000000..0baa48d
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/double-nat-net/description.txt b/testing/tests/ikev1/double-nat-net/description.txt
new file mode 100644 (file)
index 0000000..ff09155
--- /dev/null
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
+tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
+directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
+using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
new file mode 100644 (file)
index 0000000..d00613c
--- /dev/null
@@ -0,0 +1,5 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..5c07637
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       nat_traversal=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+               
+conn nat-t
+       left=%defaultroute
+       leftcert=aliceCert.pem
+       leftid=alice@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_SUN
+       rightid=bob@strongswan.org
+       rightsubnet=10.2.0.0/16
+       auto=add
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..e79b2ca
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       nat_traversal=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn nat-t
+       left=%defaultroute
+       leftsubnet=10.2.0.0/16
+       leftcert=bobCert.pem
+       leftid=bob@strongswan.org
+       leftfirewall=yes
+       right=%any
+       rightsubnetwithin=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
new file mode 100644 (file)
index 0000000..0eb2c0d
--- /dev/null
@@ -0,0 +1,9 @@
+alice::iptables -v -n -L
+bob::iptables -v -n -L
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
+sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
new file mode 100644 (file)
index 0000000..84bc150
--- /dev/null
@@ -0,0 +1,15 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+bob::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+sun::ip route add 10.1.0.0/16 via PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
new file mode 100644 (file)
index 0000000..1ca2ffe
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/double-nat/description.txt b/testing/tests/ikev1/double-nat/description.txt
new file mode 100644 (file)
index 0000000..ce7de0e
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
+the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to
+traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based
+firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings <b>bob</b>.
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
new file mode 100644 (file)
index 0000000..05e7514
--- /dev/null
@@ -0,0 +1,5 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..3533c3f
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       nat_traversal=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+               
+conn nat-t
+       left=%defaultroute
+       leftcert=aliceCert.pem
+       leftid=alice@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_SUN
+       rightid=bob@strongswan.org
+       rightsubnet=PH_IP_BOB/32
+       auto=add
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
new file mode 100644 (file)
index 0000000..07f22d0
--- /dev/null
@@ -0,0 +1,8 @@
+alice::iptables -v -n -L
+bob::iptables -v -n -L
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
new file mode 100644 (file)
index 0000000..cf495b7
--- /dev/null
@@ -0,0 +1,13 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
new file mode 100644 (file)
index 0000000..1ca2ffe
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt
new file mode 100644 (file)
index 0000000..f76b2d7
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
+which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
+When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
+<b>moon</b> clears the connection after the configured timeout of 30 s.
+
diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat
new file mode 100644 (file)
index 0000000..98d5b14
--- /dev/null
@@ -0,0 +1,7 @@
+carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::sleep 50::no output expected::NO
+moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
+moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
+moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
+moon::cat /var/log/auth.log::DPD: Clearing connection::YES
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..2812935
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       dpdaction=clear
+       dpddelay=10
+       dpdtimeout=30
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
+
+
+
diff --git a/testing/tests/ikev1/dpd-clear/posttest.dat b/testing/tests/ikev1/dpd-clear/posttest.dat
new file mode 100644 (file)
index 0000000..931db42
--- /dev/null
@@ -0,0 +1,3 @@
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat
new file mode 100644 (file)
index 0000000..14ed953
--- /dev/null
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
new file mode 100644 (file)
index 0000000..c7918fa
--- /dev/null
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
+marks all incoming AH packets with the ESP mark. The transport mode connection is
+tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
new file mode 100644 (file)
index 0000000..7c498ad
--- /dev/null
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
+carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
+moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
+moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..8c88175
--- /dev/null
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+        # allow AH
+       iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+                       
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..21f5670
--- /dev/null
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       auth=ah
+       ike=aes128-sha
+       esp=aes128-sha1
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       type=transport
+       auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..3e89225
--- /dev/null
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # enable IP forwarding
+       echo 1 > /proc/sys/net/ipv4/ip_forward
+       
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+       # allow AH
+       iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..274a1aa
--- /dev/null
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       auth=ah
+       ike=aes128-sha
+       esp=aes128-sha1
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftfirewall=yes
+       right=%any
+       rightid=carol@strongswan.org
+       type=transport
+       auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat
new file mode 100644 (file)
index 0000000..2684821
--- /dev/null
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat
new file mode 100644 (file)
index 0000000..bd68efb
--- /dev/null
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf
new file mode 100644 (file)
index 0000000..fd33cfb
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
new file mode 100644 (file)
index 0000000..809f28c
--- /dev/null
@@ -0,0 +1,6 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
+marks all incoming AH packets with the ESP mark. The tunnel mode connection is
+tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind 
+gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
new file mode 100644 (file)
index 0000000..8f4a996
--- /dev/null
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
+moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
+moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..8c88175
--- /dev/null
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+        # allow AH
+       iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+                       
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..8c72a7b
--- /dev/null
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       auth=ah
+       ike=aes128-sha
+       esp=aes128-sha1
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
new file mode 100755 (executable)
index 0000000..3e89225
--- /dev/null
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+       before net
+       need logger
+}
+
+start() {
+       ebegin "Starting firewall"
+
+       # enable IP forwarding
+       echo 1 > /proc/sys/net/ipv4/ip_forward
+       
+       # default policy is DROP
+       /sbin/iptables -P INPUT DROP
+       /sbin/iptables -P OUTPUT DROP
+       /sbin/iptables -P FORWARD DROP
+
+       # allow AH
+       iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+
+       # allow IKE
+       iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+       # allow crl fetch from winnetou
+       iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+       iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+       # allow ssh
+       iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+       iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+       eend $?
+}
+
+stop() {
+       ebegin "Stopping firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+       
+                       if [ $a == nat ]; then
+                               /sbin/iptables -t nat -P PREROUTING ACCEPT
+                               /sbin/iptables -t nat -P POSTROUTING ACCEPT
+                               /sbin/iptables -t nat -P OUTPUT ACCEPT
+                       elif [ $a == mangle ]; then
+                               /sbin/iptables -t mangle -P PREROUTING ACCEPT
+                               /sbin/iptables -t mangle -P INPUT ACCEPT
+                               /sbin/iptables -t mangle -P FORWARD ACCEPT
+                               /sbin/iptables -t mangle -P OUTPUT ACCEPT
+                               /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+                       elif [ $a == filter ]; then
+                               /sbin/iptables -t filter -P INPUT ACCEPT
+                               /sbin/iptables -t filter -P FORWARD ACCEPT
+                               /sbin/iptables -t filter -P OUTPUT ACCEPT
+                       fi
+               done
+       eend $?
+}
+
+reload() {
+       ebegin "Flushing firewall"
+               for a in `cat /proc/net/ip_tables_names`; do
+                       /sbin/iptables -F -t $a
+                       /sbin/iptables -X -t $a
+               done;
+        eend $?
+       start
+}
+
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..ccf8e91
--- /dev/null
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       auth=ah
+       ike=aes128-sha
+       esp=aes128-sha1
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       leftfirewall=yes
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
new file mode 100644 (file)
index 0000000..2684821
--- /dev/null
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
new file mode 100644 (file)
index 0000000..bd68efb
--- /dev/null
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
new file mode 100644 (file)
index 0000000..fd33cfb
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt
new file mode 100644 (file)
index 0000000..9546569
--- /dev/null
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must
+explicitly accept the choice of this insecure algorithm by setting the strict
+flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> 
+sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
new file mode 100644 (file)
index 0000000..8e06392
--- /dev/null
@@ -0,0 +1,6 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..b8ef03c
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-md5-modp1024!
+       esp=des-md5!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..3ac0bf4
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=3des-md5-modp1024!
+       esp=des-md5!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt
new file mode 100644 (file)
index 0000000..7880a79
--- /dev/null
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must
+explicitly accept the choice of this insecure algorithm by setting the strict
+flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> 
+sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
new file mode 100644 (file)
index 0000000..de2f2a5
--- /dev/null
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..7a8ae37
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=aes-128-sha
+       esp=null-sha1!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..187a3fb
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha!
+       esp=null-sha1!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
new file mode 100644 (file)
index 0000000..f5aa989
--- /dev/null
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
new file mode 100644 (file)
index 0000000..03c6554
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
new file mode 100644 (file)
index 0000000..6f2024f
--- /dev/null
@@ -0,0 +1,9 @@
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
+carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
+moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
+moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..4ed2fb6
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-sha
+       esp=3des-sha1
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..f8c27ad
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha
+       esp=aes128-sha1!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat
new file mode 100644 (file)
index 0000000..f5aa989
--- /dev/null
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
new file mode 100644 (file)
index 0000000..b4fc082
--- /dev/null
@@ -0,0 +1,7 @@
+Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with
+SHA-1 authentication) in the first place and <b>AES-128</b> encryption in
+second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed
+by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by applying the strict flag '!'.
+
diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
new file mode 100644 (file)
index 0000000..d5dd12d
--- /dev/null
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
+carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..da86d14
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-sha,aes-128-sha
+       esp=3des-sha1,aes-128-sha1
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..f8c27ad
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha
+       esp=aes128-sha1!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat
new file mode 100644 (file)
index 0000000..f5aa989
--- /dev/null
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
new file mode 100644 (file)
index 0000000..ffb6882
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication
+as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
+not use an explicit <b>esp</b> statement any strong encryption algorithm will be
+accepted but any weak key length will be rejected by default and thus the ISAKMP SA
+is bound to fail.
diff --git a/testing/tests/ikev1/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat
new file mode 100644 (file)
index 0000000..72b14e8
--- /dev/null
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES
+moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..b8ef03c
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-md5-modp1024!
+       esp=des-md5!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..691b6b7
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/host2host-cert/description.txt b/testing/tests/ikev1/host2host-cert/description.txt
new file mode 100644 (file)
index 0000000..6be21bf
--- /dev/null
@@ -0,0 +1,4 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
new file mode 100644 (file)
index 0000000..d19f970
--- /dev/null
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
new file mode 100644 (file)
index 0000000..5297950
--- /dev/null
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
new file mode 100644 (file)
index 0000000..3536fd8
--- /dev/null
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
new file mode 100644 (file)
index 0000000..cf2e704
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt
new file mode 100644 (file)
index 0000000..34cfe43
--- /dev/null
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat
new file mode 100644 (file)
index 0000000..d19f970
--- /dev/null
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..10597bc
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn host-host
+       right=PH_IP_MOON
+       rightnexthop=%direct
+       rightcert=moonCert.pem
+       rightid=@moon.strongswan.org
+       rightfirewall=yes
+       left=PH_IP_SUN
+       leftid=@sun.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..45121d9
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       nat_traversal=yes
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn host-host
+       right=PH_IP_SUN
+       rightnexthop=%direct
+       rightcert=sunCert.pem
+       rightfirewall=yes
+       rightid=@sun.strongswan.org
+       left=PH_IP_MOON
+       leftid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/host2host-swapped/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat
new file mode 100644 (file)
index 0000000..5297950
--- /dev/null
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat
new file mode 100644 (file)
index 0000000..e2d98f2
--- /dev/null
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf
new file mode 100644 (file)
index 0000000..cf2e704
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-transport/description.txt b/testing/tests/ikev1/host2host-transport/description.txt
new file mode 100644 (file)
index 0000000..fe3482c
--- /dev/null
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
new file mode 100644 (file)
index 0000000..d19f970
--- /dev/null
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..44ac885
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+
+conn host-host
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftfirewall=yes
+       right=PH_IP_SUN
+       rightid=@sun.strongswan.org
+       type=transport
+       auto=add
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..a89e799
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+
+conn host-host
+       left=PH_IP_SUN
+       leftcert=sunCert.pem
+       leftid=@sun.strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       type=transport
+       auto=add
+
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
new file mode 100644 (file)
index 0000000..5297950
--- /dev/null
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
new file mode 100644 (file)
index 0000000..e2d98f2
--- /dev/null
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
new file mode 100644 (file)
index 0000000..cf2e704
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
new file mode 100644 (file)
index 0000000..1bec4b8
--- /dev/null
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite
+<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and
+<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
new file mode 100644 (file)
index 0000000..dbd3542
--- /dev/null
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
+moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..8b1052f
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=aes256-sha2_512-modp8192!
+       esp=aes256-sha2_256!
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..62b93c4
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug="control crypt"
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes256-sha2_512-modp8192!
+       esp=aes256-sha2_256!
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
new file mode 100644 (file)
index 0000000..7d077c1
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/test.conf b/testing/tests/ikev1/ike-alg-sha2_512/test.conf
new file mode 100644 (file)
index 0000000..a6c8f02
--- /dev/null
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
new file mode 100644 (file)
index 0000000..03c6554
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
new file mode 100644 (file)
index 0000000..931b885
--- /dev/null
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..4ed2fb6
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-sha
+       esp=3des-sha1
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..1a8b0b9
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha!
+       esp=aes128-sha1
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
new file mode 100644 (file)
index 0000000..f5aa989
--- /dev/null
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf
new file mode 100644 (file)
index 0000000..7e78488
--- /dev/null
@@ -0,0 +1,21 @@
+##!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
new file mode 100644 (file)
index 0000000..35d266e
--- /dev/null
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place
+and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA.
+The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', 
+but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
+defines itself <b>esp=aes-128-sha1</b> only.
diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
new file mode 100644 (file)
index 0000000..46140be
--- /dev/null
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
+moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
+carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..da86d14
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       ike=3des-sha,aes-128-sha
+       esp=3des-sha1,aes-128-sha1
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..1a8b0b9
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       leftnexthop=%direct
+       ike=aes128-sha!
+       esp=aes128-sha1
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat
new file mode 100644 (file)
index 0000000..f5aa989
--- /dev/null
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt
new file mode 100644 (file)
index 0000000..e29e6f6
--- /dev/null
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat
new file mode 100644 (file)
index 0000000..be8ca6e
--- /dev/null
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..3bcc0ff
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn home
+       right=PH_IP_CAROL
+       rightsourceip=%modeconfig
+       rightnexthop=%direct
+       rightcert=carolCert.pem
+       rightid=carol@strongswan.org
+       rightfirewall=yes
+       left=PH_IP_MOON
+       leftsubnet=10.1.0.0/16
+       leftid=@moon.strongswan.org
+       auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..7933ef1
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn home
+       right=PH_IP_DAVE
+       rightsourceip=%modeconfig
+       rightnexthop=%direct
+       rightcert=daveCert.pem
+       rightid=dave@strongswan.org
+       rightfirewall=yes
+       left=PH_IP_MOON
+       leftsubnet=10.1.0.0/16
+       leftid=@moon.strongswan.org
+       auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..53b81a5
--- /dev/null
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightsourceip=PH_IP_MOON1
+       rightnexthop=%direct
+       rightcert=moonCert.pem
+       rightid=@moon.strongswan.org
+       rightfirewall=yes
+
+conn rw-carol
+       left=%any
+       leftid=carol@strongswan.org
+       leftsourceip=PH_IP_CAROL1
+       auto=add
+
+conn rw-dave
+       left=%any
+       leftid=dave@strongswan.org
+       leftsourceip=PH_IP_DAVE1
+       auto=add
diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat
new file mode 100644 (file)
index 0000000..f5fa1f3
--- /dev/null
@@ -0,0 +1,11 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat
new file mode 100644 (file)
index 0000000..1e45f00
--- /dev/null
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf
new file mode 100644 (file)
index 0000000..1a8f2a4
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config/description.txt b/testing/tests/ikev1/mode-config/description.txt
new file mode 100644 (file)
index 0000000..3e67f83
--- /dev/null
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
+by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
new file mode 100644 (file)
index 0000000..be8ca6e
--- /dev/null
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..2fd7345
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn home
+       left=PH_IP_CAROL
+       leftsourceip=%modeconfig
+       leftnexthop=%direct
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..128c4aa
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn home
+       left=PH_IP_DAVE
+       leftsourceip=%modeconfig
+       leftnexthop=%direct
+       leftcert=daveCert.pem
+       leftid=dave@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..3367544
--- /dev/null
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutodebug=control
+       crlcheckinterval=180
+       strictcrlpolicy=no
+       charonstart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_MOON
+       leftsubnet=10.1.0.0/16
+       leftsourceip=PH_IP_MOON1