enabled firewall support
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 18 Sep 2006 07:41:54 +0000 (07:41 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 18 Sep 2006 07:41:54 +0000 (07:41 -0000)
36 files changed:
testing/tests/ikev2/crl-revoked/description.txt
testing/tests/ikev2/crl-strict/description.txt
testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/default-keys/posttest.dat
testing/tests/ikev2/default-keys/pretest.dat
testing/tests/ikev2/host2host-cert/description.txt
testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/host2host-cert/posttest.dat
testing/tests/ikev2/host2host-cert/pretest.dat
testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/host2host-swapped/posttest.dat
testing/tests/ikev2/host2host-swapped/pretest.dat
testing/tests/ikev2/net2net-cert/description.txt
testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-cert/posttest.dat
testing/tests/ikev2/net2net-cert/pretest.dat
testing/tests/ikev2/net2net-route/description.txt
testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-route/posttest.dat
testing/tests/ikev2/net2net-route/pretest.dat
testing/tests/ikev2/net2net-start/description.txt
testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-start/posttest.dat
testing/tests/ikev2/net2net-start/pretest.dat
testing/tests/ikev2/rw-cert/description.txt
testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/rw-cert/posttest.dat
testing/tests/ikev2/rw-cert/pretest.dat

index dcb6e5a..b39c59c 100644 (file)
@@ -1,4 +1,4 @@
 By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. <b>carol</b> initiates
-the connection and presents a certificate that has been revoked by the
-current CRL.Therefore the IKE negotiation fails
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
+initiates the connection and presents a certificate that has been revoked by the
+current CRL causing the IKE negotiation to fail. 
index 8024eb3..b2b7090 100644 (file)
@@ -1,2 +1,2 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
 both roadwarrior <b>carol</b> and gateway <b>moon</b>.
index 7d720a8..8959766 100755 (executable)
@@ -9,14 +9,15 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn home
        left=PH_IP_CAROL
        leftnexthop=%direct
        leftcert=selfCert.der
        leftsendcert=never
+       leftfirewall=yes
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightcert=peerCert.der
-       keyexchange=ikev2
        auto=add
index 34da3d6..7e53917 100755 (executable)
@@ -9,6 +9,7 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn carol
        left=PH_IP_MOON
@@ -16,8 +17,7 @@ conn carol
        leftcert=selfCert.der
        leftsendcert=never
        leftsubnet=10.1.0.0/16
+       leftfirewall=yes
        right=%any
        rightcert=peerCert.der
-       keyexchange=ikev2
        auto=add
-
index 1e74411..52b48b9 100644 (file)
@@ -1,5 +1,9 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
index 416ffcb..3e31e0e 100644 (file)
@@ -1,4 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
index 547fba7..6be21bf 100644 (file)
@@ -1,3 +1,4 @@
 A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates.
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
index e15faa1..5ace1ba 100755 (executable)
@@ -9,13 +9,14 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn host-host
        left=PH_IP_MOON
        leftnexthop=%direct
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
+       leftfirewall=yes
        right=PH_IP_SUN
        rightid=@sun.strongswan.org
-       keyexchange=ikev2
        auto=add
index 311aa00..d127fda 100755 (executable)
@@ -9,13 +9,14 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn host-host
        left=PH_IP_SUN
        leftnexthop=%direct
        leftcert=sunCert.pem
        leftid=@sun.strongswan.org
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       keyexchange=ikev2
        auto=add
index dff1817..5297950 100644 (file)
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
index 3cf9fe3..52a5196 100644 (file)
@@ -1,3 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
index b544d3a..7a5c3a2 100755 (executable)
@@ -9,13 +9,14 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn host-host
        right=PH_IP_MOON
        rightnexthop=%direct
        rightcert=moonCert.pem
        rightid=@moon.strongswan.org
+       rightfirewall=yes
        left=PH_IP_SUN
        leftid=@sun.strongswan.org
-       keyexchange=ikev2
        auto=add
index db1e72a..9add2f1 100755 (executable)
@@ -9,13 +9,14 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
+       keyexchange=ikev2
 
 conn host-host
        right=PH_IP_SUN
        rightnexthop=%direct
        rightcert=sunCert.pem
        rightid=@sun.strongswan.org
+       rightfirewall=yes
        left=PH_IP_MOON
        leftid=@moon.strongswan.org
-       keyexchange=ikev2
        auto=add
index dff1817..5297950 100644 (file)
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
index 3cf9fe3..52a5196 100644 (file)
@@ -1,3 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
index 15c9e64..7eea919 100644 (file)
@@ -1,4 +1,6 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
index 8fdb45e..a3213b9 100755 (executable)
@@ -9,14 +9,15 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
-       
+       keyexchange=ikev2
+
 conn net-net 
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftsubnet=10.1.0.0/16
+       leftfirewall=yes
        right=PH_IP_SUN
        rightid=@sun.strongswan.org
        rightsubnet=10.2.0.0/16
-       keyexchange=ikev2
        auto=add
index 32697a8..06bf64b 100755 (executable)
@@ -9,14 +9,15 @@ conn %default
        keylife=20m
        rekeymargin=3m
         keyingtries=1
+       keyexchange=ikev2
 
 conn net-net 
        left=PH_IP_SUN
        leftcert=sunCert.pem
        leftid=@sun.strongswan.org
        leftsubnet=10.2.0.0/16
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
        auto=add
index 684275c..b434a96 100644 (file)
@@ -1,5 +1,9 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
-sun::rm /etc/ipsec.d/crls/*
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
 moon::rm /etc/ipsec.d/crls/*
+sun::rm /etc/ipsec.d/crls/*
 
index 75324a1..0cd81d1 100644 (file)
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 sun::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 moon::ipsec start
index 7bd102e..323f095 100644 (file)
@@ -4,3 +4,6 @@ on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
 A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
 <b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
 leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
index f456049..b805c06 100755 (executable)
@@ -17,6 +17,7 @@ conn net-net
        leftsubnet=10.1.0.0/16
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
+       leftfirewall=yes
        right=PH_IP_SUN
        rightsubnet=10.2.0.0/16
        rightid=@sun.strongswan.org
index 32697a8..06bf64b 100755 (executable)
@@ -9,14 +9,15 @@ conn %default
        keylife=20m
        rekeymargin=3m
         keyingtries=1
+       keyexchange=ikev2
 
 conn net-net 
        left=PH_IP_SUN
        leftcert=sunCert.pem
        leftid=@sun.strongswan.org
        leftsubnet=10.2.0.0/16
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
        auto=add
index dff1817..5297950 100644 (file)
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
index 2665f4d..2eef7de 100644 (file)
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
index b2b897c..f532068 100644 (file)
@@ -3,3 +3,6 @@ respectively, is automatically established by means of the setting
 <b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
 behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
 gateway <b>sun</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
index 66c77fd..a96cde3 100755 (executable)
@@ -9,12 +9,12 @@ conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
-       leftnexthop=%direct
        keyexchange=ikev2
 
 conn net-net
        left=PH_IP_MOON
        leftsubnet=10.1.0.0/16
+       leftnexthop=%direct
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftfirewall=yes
index 32697a8..ec127a4 100755 (executable)
@@ -9,14 +9,16 @@ conn %default
        keylife=20m
        rekeymargin=3m
         keyingtries=1
+       keyexchange=ikev2
 
 conn net-net 
        left=PH_IP_SUN
        leftcert=sunCert.pem
        leftid=@sun.strongswan.org
        leftsubnet=10.2.0.0/16
+       leftnexthop=%direct
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
-       keyexchange=ikev2
        auto=add
index dff1817..5297950 100644 (file)
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
index 334465b..6e41d52 100644 (file)
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
index 89fcecf..15b3822 100644 (file)
@@ -1,4 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
index 4733930..a8eee1f 100755 (executable)
@@ -15,6 +15,7 @@ conn home
        leftnexthop=%direct
        leftcert=carolCert.pem
        leftid=carol@strongswan.org
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
index 5d78605..1fb8203 100755 (executable)
@@ -15,6 +15,7 @@ conn home
        leftnexthop=%direct
        leftcert=daveCert.pem
        leftid=dave@strongswan.org
+       leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
index 9a4f1af..655c7c4 100755 (executable)
@@ -16,6 +16,7 @@ conn rw
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftsubnet=10.1.0.0/16
+       leftfirewall=yes
        right=%any
        keyexchange=ikev2
        auto=add
index 2a130b7..5f72643 100644 (file)
@@ -1,6 +1,12 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
 dave::rm /etc/ipsec.d/crls/*
index b4340a7..d917ec4 100644 (file)
@@ -1,4 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
 moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl