src - OpenBSD base system

diff options


context:
space:
mode:

author	Alexander Bluhm <bluhm@cvs.openbsd.org>	2009-01-30 14:24:53 +0000
committer	Alexander Bluhm <bluhm@cvs.openbsd.org>	2009-01-30 14:24:53 +0000
commit	020271e3c498d7b5168fce348ad9f484f76869d2 (patch)
tree	2ded469210cc252817f655f49ce552e4f47b3692 /regress
parent	7b8bc2b70f1751dfd8b0ce67658c24eeb8d1e546 (diff)

If the "peer" address is not specified or derived from "to" for

"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@

Diffstat (limited to 'regress')

-rw-r--r--

regress/sbin/ipsecctl/Makefile

-rw-r--r--

regress/sbin/ipsecctl/ikefail14.in

-rw-r--r--

regress/sbin/ipsecctl/ikefail14.ok

109

3 files changed, 122 insertions, 2 deletions

diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index b860c2ee0d2..963e4d19649 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile

@@ -1,4 +1,4 @@

-# $OpenBSD: Makefile,v 1.55 2009/01/29 10:08:13 bluhm Exp $

+# $OpenBSD: Makefile,v 1.56 2009/01/30 14:24:52 bluhm Exp $

# you can update the *.ok files with: make -i | patch

# TARGETS

@@ -15,7 +15,7 @@ TCPMD5TESTS=1 2 3

SATESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

SAFAIL=1 2

IPSECFAIL=1 2 3

-IKEFAIL=1 3 4 5 6 8 9 11 12 13

+IKEFAIL=1 3 4 5 6 8 9 11 12 13 14

IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

IKETESTS+=16 17 18 19 20 21 22 23

IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40

diff --git a/regress/sbin/ipsecctl/ikefail14.in b/regress/sbin/ipsecctl/ikefail14.in
new file mode 100644
index 00000000000..6f1987d7233
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail14.in

@@ -0,0 +1,11 @@

+ike from any to any \

+ local 1.1.1.1 peer any \

+ main \

+ srcid src.id dstid dst.id \

+ psk secret

+ike from ::/0 to any \

+ local 2.2.2.2 peer any \

+ aggressive \

+ srcid src.wrong dstid dst.wrong \

+ psk insecure

+ike from ::/0 to any

diff --git a/regress/sbin/ipsecctl/ikefail14.ok b/regress/sbin/ipsecctl/ikefail14.ok
new file mode 100644
index 00000000000..a5a88d31b2b
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail14.ok

@@ -0,0 +1,109 @@

+stdin: 10: default peer local mismatch

+stdin: 10: default peer psk mismatch

+stdin: 10: default peer phase 1 mode mismatch

+stdin: 10: default peer srcid mismatch

+stdin: 10: default peer dstid mismatch

+stdin: 11: default peer local mismatch

+stdin: 11: default peer phase 1 auth mismatch

+stdin: 11: default peer srcid mismatch

+stdin: 11: default peer dstid mismatch

+C set [Phase 1]:Default=peer-default force

+C set [peer-default]:Phase=1 force

+C set [peer-default]:Local-address=1.1.1.1 force

+C set [peer-default]:Authentication=secret force

+C set [peer-default]:Configuration=phase1-peer-default force

+C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force

+C add [phase1-peer-default]:Transforms=AES-SHA force

+C set [peer-default]:ID=id-src.id force

+C set [id-src.id]:ID-type=FQDN force

+C set [id-src.id]:Name=src.id force

+C set [peer-default]:Remote-ID=id-dst.id force

+C set [id-dst.id]:ID-type=FQDN force

+C set [id-dst.id]:Name=dst.id force

+C set [from-0.0.0.0/0-to-0.0.0.0/0]:Phase=2 force

+C set [from-0.0.0.0/0-to-0.0.0.0/0]:ISAKMP-peer=peer-default force

+C set [from-0.0.0.0/0-to-0.0.0.0/0]:Configuration=phase2-from-0.0.0.0/0-to-0.0.0.0/0 force

+C set [from-0.0.0.0/0-to-0.0.0.0/0]:Local-ID=from-0.0.0.0/0 force

+C set [from-0.0.0.0/0-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force

+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force

+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force

+C set [from-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force

+C set [from-0.0.0.0/0]:Network=0.0.0.0 force

+C set [from-0.0.0.0/0]:Netmask=0.0.0.0 force

+C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force

+C set [to-0.0.0.0/0]:Network=0.0.0.0 force

+C set [to-0.0.0.0/0]:Netmask=0.0.0.0 force

+C add [Phase 2]:Connections=from-0.0.0.0/0-to-0.0.0.0/0

+C set [Phase 1]:Default=peer-default force

+C set [peer-default]:Phase=1 force

+C set [peer-default]:Local-address=1.1.1.1 force

+C set [peer-default]:Authentication=secret force

+C set [peer-default]:Configuration=phase1-peer-default force

+C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force

+C add [phase1-peer-default]:Transforms=AES-SHA force

+C set [peer-default]:ID=id-src.id force

+C set [id-src.id]:ID-type=FQDN force

+C set [id-src.id]:Name=src.id force

+C set [peer-default]:Remote-ID=id-dst.id force

+C set [id-dst.id]:ID-type=FQDN force

+C set [id-dst.id]:Name=dst.id force

+C set [from-::/0-to-::/0]:Phase=2 force

+C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force

+C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force

+C set [from-::/0-to-::/0]:Local-ID=from-::/0 force

+C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force

+C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force

+C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force

+C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [from-::/0]:Network=:: force

+C set [from-::/0]:Netmask=:: force

+C set [to-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [to-::/0]:Network=:: force

+C set [to-::/0]:Netmask=:: force

+C add [Phase 2]:Connections=from-::/0-to-::/0

+C set [Phase 1]:Default=peer-default force

+C set [peer-default]:Phase=1 force

+C set [peer-default]:Local-address=2.2.2.2 force

+C set [peer-default]:Authentication=insecure force

+C set [peer-default]:Configuration=phase1-peer-default force

+C set [phase1-peer-default]:EXCHANGE_TYPE=AGGRESSIVE force

+C add [phase1-peer-default]:Transforms=AES-SHA force

+C set [peer-default]:ID=id-src.wrong force

+C set [id-src.wrong]:ID-type=FQDN force

+C set [id-src.wrong]:Name=src.wrong force

+C set [peer-default]:Remote-ID=id-dst.wrong force

+C set [id-dst.wrong]:ID-type=FQDN force

+C set [id-dst.wrong]:Name=dst.wrong force

+C set [from-::/0-to-::/0]:Phase=2 force

+C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force

+C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force

+C set [from-::/0-to-::/0]:Local-ID=from-::/0 force

+C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force

+C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force

+C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force

+C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [from-::/0]:Network=:: force

+C set [from-::/0]:Netmask=:: force

+C set [to-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [to-::/0]:Network=:: force

+C set [to-::/0]:Netmask=:: force

+C add [Phase 2]:Connections=from-::/0-to-::/0

+C set [Phase 1]:Default=peer-default force

+C set [peer-default]:Phase=1 force

+C set [peer-default]:Configuration=phase1-peer-default force

+C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force

+C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force

+C set [from-::/0-to-::/0]:Phase=2 force

+C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force

+C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force

+C set [from-::/0-to-::/0]:Local-ID=from-::/0 force

+C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force

+C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force

+C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force

+C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [from-::/0]:Network=:: force

+C set [from-::/0]:Netmask=:: force

+C set [to-::/0]:ID-type=IPV6_ADDR_SUBNET force

+C set [to-::/0]:Network=:: force

+C set [to-::/0]:Netmask=:: force

+C add [Phase 2]:Connections=from-::/0-to-::/0