testing: Add some PPK scenarios
authorTobias Brunner <tobias@strongswan.org>
Thu, 30 Aug 2018 16:14:06 +0000 (18:14 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 10 Sep 2018 16:04:23 +0000 (18:04 +0200)
34 files changed:
testing/tests/swanctl/rw-cert-ppk/description.txt [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/evaltest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem [new file with mode: 0644]
testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/posttest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/pretest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-cert-ppk/test.conf [new file with mode: 0755]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf [new file with mode: 0644]
testing/tests/swanctl/rw-psk-ppk/description.txt [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/evaltest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/posttest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/pretest.dat [new file with mode: 0755]
testing/tests/swanctl/rw-psk-ppk/test.conf [new file with mode: 0755]

diff --git a/testing/tests/swanctl/rw-cert-ppk/description.txt b/testing/tests/swanctl/rw-cert-ppk/description.txt
new file mode 100755 (executable)
index 0000000..53e1033
--- /dev/null
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>
+and includes a <b>Postquantum Preshared Key (PPK)</b> that's also mixed into the
+derived key material. The PPK_ID used by <b>dave</b> is unknown to <b>moon</b>
+but since both peers don't enforce the use of a PPK they fall back to regular
+authentication by use of the authentication data provided in the NO_PPK_AUTH
+notify.
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-cert-ppk/evaltest.dat b/testing/tests/swanctl/rw-cert-ppk/evaltest.dat
new file mode 100755 (executable)
index 0000000..4138124
--- /dev/null
@@ -0,0 +1,15 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+dave:: cat /var/log/daemon.log::peer didn't use PPK for PPK_ID 'ppk-dave@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::no PPK for 'ppk-dave@strongswan.org' found, ignored because PPK is not required::YES
+moon:: cat /var/log/daemon.log::no PPK available, using NO_PPK_AUTH notify::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..b415e07
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644 (file)
index 0000000..1454ec5
--- /dev/null
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
+
+1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
+/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
+/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
+Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
+f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
+LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
+06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
+e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
+3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
+sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
+c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
+UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
+XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
+iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
+Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
+v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
+t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
+8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
+jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
+p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
+7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
+GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
+4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
+yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..4d0057c
--- /dev/null
@@ -0,0 +1,42 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-carol@strongswan.org
+      ppk_required = yes
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..b415e07
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..6328247
--- /dev/null
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-dave@strongswan.org
+      ppk_required = no
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ppk-dave {
+      id = ppk-dave@strongswan.org
+      secret = 0x06918e49398db61094438a5be8b743894f155f4e8521e6bcd1d47690557e4b13
+   }
+}
\ No newline at end of file
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..b415e07
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-ppk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..f6c0569
--- /dev/null
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
diff --git a/testing/tests/swanctl/rw-cert-ppk/posttest.dat b/testing/tests/swanctl/rw-cert-ppk/posttest.dat
new file mode 100755 (executable)
index 0000000..b909ac7
--- /dev/null
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-cert-ppk/pretest.dat b/testing/tests/swanctl/rw-cert-ppk/pretest.dat
new file mode 100755 (executable)
index 0000000..dd1a17c
--- /dev/null
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-cert-ppk/test.conf b/testing/tests/swanctl/rw-cert-ppk/test.conf
new file mode 100755 (executable)
index 0000000..1227b9d
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/description.txt
new file mode 100644 (file)
index 0000000..fb84490
--- /dev/null
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+The roadwarrios then use the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b> and includes
+a <b>Postquantum Preshared Key (PPK)</b> that's also mixed into the
+derived key material. The PPK_ID used by <b>dave</b> is unknown to <b>moon</b>
+but since both peers don't enforce the use of a PPK they fall back to regular
+authentication by use of the authentication data provided in the NO_PPK_AUTH
+notify.
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/evaltest.dat
new file mode 100644 (file)
index 0000000..b02c212
--- /dev/null
@@ -0,0 +1,27 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::peer didn't use PPK for PPK_ID 'ppk-dave@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*dave
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
+moon:: cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::no PPK for 'ppk-dave@strongswan.org' found, ignored because PPK is not required::YES
+moon:: cat /var/log/daemon.log::no PPK available, using NO_PPK_AUTH notify::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d2cc789
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..b01ce72
--- /dev/null
@@ -0,0 +1,41 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-carol@strongswan.org
+      ppk_required = yes
+
+      local {
+         auth = eap
+         eap_id = carol
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = Ar3etTnp
+   }
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d2cc789
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..f288788
--- /dev/null
@@ -0,0 +1,39 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-dave@strongswan.org
+
+      local {
+         auth = eap
+         eap_id = dave
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-dave {
+      id = dave
+      secret = W7R0g3do
+   }
+   ppk-dave {
+      id = ppk-dave@strongswan.org
+      secret = 0x06918e49398db61094438a5be8b743894f155f4e8521e6bcd1d47690557e4b13
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d2cc789
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..f4485ce
--- /dev/null
@@ -0,0 +1,44 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-md5
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave
+      secret = W7R0g3do
+   }
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/posttest.dat
new file mode 100644 (file)
index 0000000..46536ef
--- /dev/null
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::swanctl --terminate --ike home
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/pretest.dat
new file mode 100644 (file)
index 0000000..9ae476e
--- /dev/null
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa-ppk/test.conf
new file mode 100644 (file)
index 0000000..842f4b3
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-psk-ppk/description.txt b/testing/tests/swanctl/rw-psk-ppk/description.txt
new file mode 100755 (executable)
index 0000000..b9535b9
--- /dev/null
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b> and includes a <b>Postquantum Preshared Key (PPK)</b>
+that's also mixed into the derived key material. The PPK_ID used by <b>dave</b> is
+unknown to <b>moon</b> but since both peers don't enforce the use of a PPK they fall back
+to regular authentication by use of the authentication data provided in the NO_PPK_AUTH
+notify.
+Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-psk-ppk/evaltest.dat b/testing/tests/swanctl/rw-psk-ppk/evaltest.dat
new file mode 100755 (executable)
index 0000000..b8b3fcb
--- /dev/null
@@ -0,0 +1,15 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ppk=yes.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+dave:: cat /var/log/daemon.log::peer didn't use PPK for PPK_ID 'ppk-dave@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::using PPK for PPK_ID 'ppk-carol@strongswan.org'::YES
+moon:: cat /var/log/daemon.log::no PPK for 'ppk-dave@strongswan.org' found, ignored because PPK is not required::YES
+moon:: cat /var/log/daemon.log::no PPK available, using NO_PPK_AUTH notify::YES
+alice::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..b56cc0c
--- /dev/null
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+  syslog {
+       daemon {
+               ike = 4
+       }
+  }
+}
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..935a39e
--- /dev/null
@@ -0,0 +1,43 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-carol@strongswan.org
+      ppk_required = yes
+
+      local {
+         auth = psk
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+      secret = 0x16964066a10de938bdb2ab7864fe4459cab1
+   }
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
+
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..dcef959
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..84134fe
--- /dev/null
@@ -0,0 +1,40 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      ppk_id = ppk-dave@strongswan.org
+
+      local {
+         auth = psk
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = moon.strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+   ppk-dave {
+      id = ppk-dave@strongswan.org
+      secret = 0x06918e49398db61094438a5be8b743894f155f4e8521e6bcd1d47690557e4b13
+   }
+}
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/strongswan.conf
new file mode 100755 (executable)
index 0000000..dcef959
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = random openssl
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ppk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..8552945
--- /dev/null
@@ -0,0 +1,42 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      ppk_id = *@strongswan.org
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   ike-carol {
+      id = carol@strongswan.org
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+   ike-dave {
+      id = dave@strongswan.org
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+   ppk-carol {
+      id = ppk-carol@strongswan.org
+      secret = 0x98c61dd0f8c7daf07759617546f7b3ae156f19a7bc935c61523c7ca998e5eedb
+   }
+}
diff --git a/testing/tests/swanctl/rw-psk-ppk/posttest.dat b/testing/tests/swanctl/rw-psk-ppk/posttest.dat
new file mode 100755 (executable)
index 0000000..b909ac7
--- /dev/null
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ppk/pretest.dat b/testing/tests/swanctl/rw-psk-ppk/pretest.dat
new file mode 100755 (executable)
index 0000000..48849c8
--- /dev/null
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-ppk/test.conf b/testing/tests/swanctl/rw-psk-ppk/test.conf
new file mode 100755 (executable)
index 0000000..1227b9d
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1