--- /dev/null
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
+availabl, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
+successfully started and the IKE authentication completes. The new CRL is again
+cached locally as a file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
--- /dev/null
+moon::cat /var/log/daemon.log::loading crl file::YES
+carol::cat /var/log/daemon.log::loading crl file::YES
+moon::cat /var/log/daemon.log::crl is stale::YES
+carol::cat /var/log/daemon.log::crl is stale::YES
+moon::cat /var/log/daemon.log::sending ldap request::YES
+carol::cat /var/log/daemon.log::sending ldap request::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::written crl file::YES
+carol::cat /var/log/daemon.log::written crl file::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
--- /dev/null
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow ldap crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ cachecrls=yes
+ plutostart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=2
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftnexthop=%direct
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
+
--- /dev/null
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow ldap crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ cachecrls=yes
+ plutostart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri="ldap://ldap1.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=2
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftnexthop=%direct
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
--- /dev/null
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
+carol::sleep 3
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"