testing: Add ikev2/trap-any scenario

diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2/trap-any/description.txt
new file mode 100644 (file)
index 0000000..81e1482
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/description.txt
@@ -0,0 +1,7 @@
+The hosts <b>moon</b>, <b>sun</b> and <b>dave</b> install <b>transport-mode</b> trap
+policies with <b>right=%any</b>.  The remote host is dynamically determined based on
+the acquires received from the kernel.  Host <b>dave</b> additionally limits the remote
+hosts to <b>moon</b> and <b>sun</b> with <b>rightsubnet</b>.  This is tested by
+pinging <b>sun</b> and <b>carol</b> from <b>moon</b>, <b>carol</b> from <b>sun</b>, and
+<b>sun</b> and <b>moon</b> from <b>dave</b>. The latter also pings <b>carol</b>, which
+is not going to be encrypted as <b>carol</b> is not part of the configured <b>rightsubnet</b>.

diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat
new file mode 100644 (file)
index 0000000..bcba9ef
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/evaltest.dat
@@ -0,0 +1,33 @@
+moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO
+moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
+carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES

diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..a2d6229
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,16 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="knl 2"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn trap-any
+       right=%any
+       type=transport
+       authby=psk
+       auto=add

diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..34647bc
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file

diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..8e685c8
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..3c7adfb
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="knl 2"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn trap-any
+       right=%any
+       rightsubnet=192.168.0.0/30
+       type=transport
+       authby=psk
+       auto=route
+

diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..34647bc
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file

diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..8e685c8
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..409bee2
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="knl 2"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+       authby=never
+       leftsubnet=0.0.0.0/0[tcp/22]
+       rightsubnet=0.0.0.0/0[tcp]
+       type=pass
+       auto=route
+
+conn trap-any
+       right=%any
+       type=transport
+       authby=psk
+       auto=route

diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..34647bc
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file

diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..8e685c8
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..71edc4c
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="knl 2"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+       authby=never
+       leftsubnet=0.0.0.0/0[tcp/22]
+       rightsubnet=0.0.0.0/0[tcp]
+       type=pass
+       auto=route
+
+conn trap-any
+       right=%any
+       type=transport
+       authby=psk
+       auto=route
+

diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..34647bc
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file

diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..8e685c8
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}

diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2/trap-any/posttest.dat
new file mode 100644 (file)
index 0000000..1bf206e
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+carol::ipsec stop
+dave::ipsec stop

diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2/trap-any/pretest.dat
new file mode 100644 (file)
index 0000000..0924078
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/pretest.dat
@@ -0,0 +1,5 @@
+moon::ipsec start
+sun::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::sleep 1

diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2/trap-any/test.conf
new file mode 100644 (file)
index 0000000..742bf02
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun carol dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun carol dave"