From 7ea31a17ead0bb480251a31109f971b79e9ce589 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 30 Apr 2012 00:32:58 +0200
Subject: [PATCH] added ikev2/net2net-rsa scenario

---
 testing/tests/ikev2/net2net-rsa/description.txt    |   7 ++++++
 testing/tests/ikev2/net2net-rsa/evaltest.dat       |   7 ++++++
 .../ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf    |  25 +++++++++++++++++++++
 .../hosts/moon/etc/ipsec.d/private/moonKey.der     | Bin 0 -> 1187 bytes
 .../ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets |   3 +++
 .../net2net-rsa/hosts/moon/etc/strongswan.conf     |   5 +++++
 .../ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf     |  23 +++++++++++++++++++
 .../hosts/sun/etc/ipsec.d/private/sunKey.der       | Bin 0 -> 1189 bytes
 .../ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets  |   3 +++
 .../net2net-rsa/hosts/sun/etc/strongswan.conf      |   5 +++++
 testing/tests/ikev2/net2net-rsa/posttest.dat       |   6 +++++
 testing/tests/ikev2/net2net-rsa/pretest.dat        |   8 +++++++
 testing/tests/ikev2/net2net-rsa/test.conf          |  21 +++++++++++++++++
 13 files changed, 113 insertions(+)
 create mode 100644 testing/tests/ikev2/net2net-rsa/description.txt
 create mode 100644 testing/tests/ikev2/net2net-rsa/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-rsa/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-rsa/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-rsa/test.conf

diff --git a/testing/tests/ikev2/net2net-rsa/description.txt b/testing/tests/ikev2/net2net-rsa/description.txt
new file mode 100644
index 0000000..a9310d4
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>raw RSA keys</b> in Base64-encoded RFC 3110 DNSKEY format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
new file mode 100644
index 0000000..0ccfb7e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status::INSTALLED, TUNNEL::YES
+sun::ipsec status::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 0000000..61b9b71
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftauth=pubkey
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 0000000000000000000000000000000000000000..49e0111f2815f2200aa2a23c6fe6a09904e06a38
GIT binary patch
literal 1187
zcmV;U1YG+tf&`xe00M#m0DhWBga}?io3-Z-NhE$~C(HENoz&zvRr3{<f$nl^pv~M)
zP4hC>QayhmW6_YsQI<-{lm@Qm7!FX!e@UeiY0ErT?*v>iyebZ>hSc<5Zc_7CSh00;
zhDfyyX?iE9GCzlx!jh!!X42aeinl%f519Zk&1F_;Hc-|D*QrX1l-{=2!RFfb?==xW
z2odfS$(jp2b&bg{X#3o#64}iZ@%6vVi|T{x6#J9ZX<&J+Xkdx=mz~wNI!T!trUBNw
z&p+JGo5U=`(4&Cffm^~^2asHv8DT-&=iKbRfqja!!oS_~i%@jzM4xbQEjraIj{fKj
zL#)WOBj)7~Y2EeAV*&vK0)hbm6&bdc0c8sBNc-2e+iGU9OsLN9qkCSCQ!Yc5r@g$I
z%=!%s{oT%uwCaVBqV0A#L$@KAtH;p<0%FVRj7BZy_cXaD)(>5uTvx|IBYqF(xP9Z~
z9g~wm3?3}z>9Iz$3YM8m7;w^NczM{D9*R{0nScl)JC0`FV$N1hoHrL3lc4CSM@d-^
z?>S4I?V;y6H?hWK(&TnZ<dt%F5ip>a0z-hpSo$UT2tMz{>b`a@j)h`3z1XdS7x<ZI
zk8rFXH)RdLi}Q4gbfohLbA&JAd*8fC(90CVh9B{Z5*Zae+iB&zu%GskM>>UWW8yt8
zHaMAC_yp)H6QxJq%zbV50)c@5!5fDK20Ugi;Gt-_1iRVA6arIV$6iC{#tb|cgl^t3
zyQ3)IuZq7>F?I72q$V~++Ybkq%6~S{Pnl+bcOqn_JRf$VqW&ccpvsPx5+pdi)w3t*
zC3GN1^0(0bKc?yjp$yri4~dkiTJ;4HVKG=tU&2SH)}8Q+`oXoLJA4&?0)c@5r`6oW
zH0F9>xfl?eduGqAH{L_H)et4W+E2YO?mBZeEQg;SB^*cXn506pJKVAnE?T0oU_x$P
zYAhSFE)Y&_w_gQy*?HrEM%bOWl!XBL(`yKIR|`K1#dSnL(M?N7`c=1k9V?JCnH)-m
zf>vWES<)<k1`Se`c0;O;*NGz?0)c@5fV~8+1SmuwKx>;O11IK#Vyrin+CJCs*<F2Q
z0`!z2C&C*)%3Oboc21%UZEnulJhZR6hW~lsH4yIrPi#XOeQHk^7gQLrz=sLBVQqUU
zIU*XHZcS?1q0iu{f5e;x76_3T3R}2v=S~A)>vlTbl`JpCIliD>QPz1D(o(qp0)c>U
z<LHBUnWpO|5DOAgM2d5Ilr1GVwQhgr-_v#UCii)B1r)x+XfN}-7%X>vJ<JPqJZyGA
zEJ>4`9cRoQwTYg3KUn!YrkAUPkZC2jSgTRuM_TygvML8IPA!0oh}_zy<IksP$F+C6
zXfdu<<U$%d;d1~42;sQ-f^oEuu)-4pfq)90py`#^)-|j*wbk(w9?eZ-hbAtjUa4tG
zp2WwmoqBn)R%J`tT$d|u`t_@$U1yNaO|z0%lLUy}vP3-@!$dJ7fWFfy4=M2fTMXlZ
zVl0H8GI{n>qPN7%j{E#jn1wInn(m#cN98@=<%_nry8^b8p|K*3z(^Zt9Z`l|1355y
BKKlRw

literal 0
HcmV?d00001

diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 0000000..b9ec17d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..3bc16cc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
new file mode 100755
index 0000000..24e20dc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der
new file mode 100644
index 0000000000000000000000000000000000000000..7c284f93917a34b466a47bac2d68aa61fce9d685
GIT binary patch
literal 1189
zcmV;W1X}wrf&`%g00M#m0RW;(<b8YfjAT=>D{>uZP)<)^#-QfK43!ajI*W2MDVdG3
zRj@rSmp%YNipHqh-?fJ7#c18|LJSjth6#+r+ca;W(@EvpAqi-yZA|chzQyfdPvLY1
z#kIE9gf~T#7m@xa=D7W;*n@%ch!3oeiic_m!c_A$<r%q}Nuc*#*O?%ownwKAg_Nt~
zUp%{xatJC;F~9<WgVEY7!4|i%=JKd?4FSFOJ$1c#!lLv{Tt2sJ<`j9j)zLA5u9zEW
z#lbqnOTshz4@9kDZ!D*a7df5t5ao%R;%7oqi&Pn)vM4sVq+Wcnh!5);UHo;-TxU@~
z;<2a>EPd-Z>I!^P;!^?v0|J5p00ip)DwigBo-q{SNk+Am)6?7~45B3fVVkaA-Ea{Q
z#+R@X9GwAaZhRpGG?2j9JI%=ry<86o!cHo#x_F@$C}4R!w5i|Hbfy%hIHGWY=J&0R
z4wmTdx9&ubq?Le_8?s(Z&rN|$VH0!oo1kH73*2nx+sRKgeCC)DzYjp?fVM-+=iqh&
zA0tkLD?z*v`z<w=7sg9NOtalhn%$Ayysr8Cq5E$kdWzOt-c>u&c`TEjsI|aZ6`1EK
z6_;R|cbW)}Ho@!RUb|kJcXZj=&5)5WFu0B(U!G?E4XXPYiaWW~<|lh%RABAm*i7g1
zGfVbCf}DbFycJ1eQ+LG|+X8`s0RH1Jiysz;Uh7P!x@wz`l6ma!@MSTo;=54N%)fst
z2?6rO;6{aPRKqy*x0yrut!*Hwf8eBthRtP~|36jZsKmgWtx{=q7!4dL1-b%@SltDu
z9Xcj~Q~KsEwdwwmgt8Bxy<%$=1x!lKel6yiG}#=#Bb<6;$<lHh)Mno%>jHs+0HXjr
z*qFkXGBbCr?$@-k6x?{|zYUx$3-46zQ)p#Jml#LaKn@*%RTQ4~LS9lq@{2>r)hkHS
zfv!)-&{&@Mt(xgt1>z};_IVRrz}<6rVIDR!fQ2IyzuYC9+a*KQ(b2S$_5)tWDj+3N
zoL&EEm91p4x8B2}by`s%bEONYIRb%!0IBTD2Wk%l>GCrgd`A*rw)^u+phI?X?0n#i
zh<~aau&ehjm4sOG<1EmlB@oy99!S7&|LYi9S>8juswz1`aDyuo9yaj!y0d5-SthJp
z<>;<&Xwh!~;-^F(Bk@#W10i3()0XlLSlx#+sdMiT&E^v-7rmzKF*f$S;_p9iM*@L>
zY^u{c5P`ZOccmVmI(T-tlKVx}v%PY%pN;d3@I!?UWraE_v=gf1V-%z;KH-5(T-Vz;
z$A#gm$%=(FkZJoKXGS~&>>IOA`(i!S==Y_T6eJ>5t`}l|=ou3{!-9^B;Uf&B0zWTt
zYQv0ZKB`7z$nDF|>DR(eJT?`gZU@DC0)c@5zlK~s*+!Gc@oohDbCR8VN;)ZRVH4|{
z0qA{P^S*JfqWCzas4ADWUV{k&QWP;R-u*jw$%zF^@{Y(G^O&7!hH=Ye>dEjH%oA^F
zw~XY~(}QuC?xpOG&{w*S4sRq1U?3rJ_FL(a*SytE;P?aOy=#MoB0E(?4hdT*@Eg4f
DYy?a>

literal 0
HcmV?d00001

diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 0000000..6aa9ed5
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..3bc16cc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
new file mode 100644
index 0000000..a199946
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/moonKey.der
+sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
new file mode 100644
index 0000000..9e40684
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
new file mode 100644
index 0000000..f74d0f7
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
-- 
2.7.4