#!/bin/sh # A collection of whack sequences to test Pluto. # Generally, we command the west Pluto to negotiate with east. # Sometimes north and south come into play. . CONFIG WESTHOST="--host $WESTIP --ikeport $IKEPORT" WESTNET="$WESTHOST --client $WESTSUBNET" EASTHOST="--host $EASTIP --ikeport $IKEPORT" EASTNET="$EASTHOST --client $EASTSUBNET" ANYHOST="--host %any --ikeport $IKEPORT" OPPO="--host %opportunistic --ikeport $IKEPORT" WESTWHACK="../whack --ctlbase ./pluto.west" EASTWHACK="../whack --ctlbase ./pluto.east" TIMES="--rekeymargin 350 --ikelifetime 900 --ipseclifetime 800" TIMES0="$TIMES --keyingtries 0" TIMES1="$TIMES --keyingtries 1" TIMES2="$TIMES --keyingtries 2" LIST="1 2 3 4 5" function perform() { echo "$@" "$@" || echo RC: $? } function me() { perform $WESTWHACK "$@" } function him() { perform $EASTWHACK "$@" } function both() { perform $WESTWHACK "$@" perform $EASTWHACK "$@" } for i do case "$i" in listen) both --listen ;; kall) both --keyid 127.95.7.2 --pubkeyrsa 0sAQOeSJscIy2XZHfs+PODDqdgJR2FmdfRNqzURVL5q2fesMHmibMLPM5cTPx2HvYKBX3YyB+BdHoojmFNixV+RTrKyyN0Og4PYwhdw0FUApDvOg7KYe1CeLUeTAUzT5Pq7MdclRW5bYY84hXSfKgaPwPTwuiLKEnVdbhGgwxqwfQ6ow== both --keyid @east.example.com --pubkeyrsa 0sAQNWmttqbM8nIypsHEULynOagFyV1MQ+/1yF5sa32abxBb2fimah7NsHM9l/KpNo7RGtiP0L6triedsZ0xz1Maa4DPnZlrtexu5uIH+FH34SUr7Xe2RcHnLVOznHMzacgcjrOUvV/nA9OEGvm7vRsMAWm/VjNuNugogFreiYEpFMQQ== both --keyid 127.95.7.3 --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw== both --keyid @north.example.com --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw== both --keyid 127.95.7.4 --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ== both --keyid @south.example.com --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ== both --keyid 127.95.7.1 --pubkeyrsa 0sAQOOyFBeFFr9CWXgn1aOEvTr98HG4inSckTXlyYi5x85G+Q1+PZ/roqB3OtnRS2XbXFb3n92QjZMJ403wQUwMAt6uzXzXDle5VvFn7cVXq3ch0jqQUxIFcdIIFR2wtkxvAr20xSOHNF/ozmKVZLkrHLu4RvVCCbSNa5toqLXblkcOQ== both --keyid @west.example.com --pubkeyrsa 0sAQOFtqrs57eghHmYREoCu1iGn4kXd+a6yT7wCFUk54d9i08mR4h5uFKPhc9fq78XNqz1AhrBH3SRcWAfJ8DaeGvZ0ZvCrTQZn+RJzX1FQ4fjuGBO0eup2XUMsYDw01PFzQ9O4qlwly6niOcMTxvbWgGcl+3DYfRvHgxet8kNtfqzHQ== ;; shutdown) both --shutdown ;; status) both --status ;; # "isakmp": ISAKMP SA only; PSK or RSA disakmp-psk) both --name isakmp-psk --psk $EASTHOST --to $WESTHOST $TIMES2 ;; xisakmp-psk) me --name isakmp-psk --initiate ;; disakmp-rsa) both --name isakmp-rsa --rsa $EASTHOST --to $WESTHOST $TIMES2 ;; xisakmp-rsa) me --name isakmp-rsa --initiate ;; # "ipsec": IPsec SA dipsec-psk) both --name ipsec-psk --delete --psk \ --updown silly $EASTNET --to --updown sally $WESTNET \ --authenticate --encrypt --pfs $TIMES2 ;; xipsec-psk) me --name ipsec-psk --initiate ;; dipsec-rsa) both --name ipsec-rsa --delete --rsa \ --updown silly $EASTNET --to --updown sally $WESTNET \ --authenticate --encrypt --pfs $TIMES2 ;; xipsec-rsa) me --name ipsec-rsa --initiate ;; # like dipsec-rsa, except compression is specified dipsec-rsa-c) both --name ipsec-rsa-c --delete --rsa \ --updown silly $EASTNET --to --updown sally $WESTNET \ --authenticate --encrypt --compress $TIMES2 ;; xipsec-rsa-c) me --name ipsec-rsa-c --initiate ;; # Road Warrior: dipsec-psk-rw) me --name ipsec-psk-rw --delete --psk \ --updown sally $WESTNET \ --to --updown silly $EASTNET \ --encrypt $TIMES2 him --name ipsec-psk-rw --delete --psk \ --updown silly $ANYHOST \ --client $WESTSUBNET \ --to --updown sally $EASTNET --nexthop %direct \ --encrypt $TIMES2 ;; xipsec-psk-rw) me --name ipsec-psk-rw --initiate ;; dipsec-rsa-rw) me --name ipsec-rsa-rw --delete --rsa \ --updown sally $WESTNET \ --to --updown silly $EASTNET \ --encrypt $TIMES2 him --name ipsec-rsa-rw --delete --rsa \ --updown silly $ANYHOST \ --client $WESTSUBNET \ --to --updown sally $EASTNET --nexthop %direct \ --encrypt $TIMES2 ;; xipsec-rsa-rw) me --name ipsec-rsa-rw --initiate ;; # Opportunism # --pfs and --rsa required dipsec-oppo) # self me --name ipsec-oppo-me --delete --rsa --pfs \ --updown sally $WESTHOST --nexthop %direct \ --to --updown silly $OPPO \ --encrypt $TIMES2 # clients me --name ipsec-oppo-mine --delete --rsa --pfs \ --updown sally $WESTNET --nexthop %direct \ --to --updown silly $OPPO \ --encrypt $TIMES2 # self him --name ipsec-oppo-me --delete --rsa --pfs \ --updown silly $OPPO \ --to --updown sally $EASTHOST --nexthop %direct \ --encrypt $TIMES2 # clients him --name ipsec-oppo-mine --delete --rsa --pfs \ --updown silly $OPPO \ --to --updown sally $EASTNET --nexthop %direct \ --encrypt $TIMES2 ;; xipsec-oppo) # host to host me --oppohere $WESTIP --oppothere $EASTIP # host to client me --oppohere $WESTIP --oppothere $TRURO # client to host me --oppohere $VANCOUVER --oppothere $EASTIP # client to client me --oppohere $VICTORIA --oppothere $ANTIGONISH # whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0" # me --oppohere 0.0.0.0 --oppothere $ANTIGONISH # whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0" # me --oppohere $VICTORIA --oppothere 0.0.0.0 # 033 no suitable connection for opportunism between 127.95.7.22 and 127.95.7.10 with 127.95.7.1 as peer me --oppohere $ANTIGONISH --oppothere $VICTORIA # 033 Can't Opportunistically initiate for 127.95.7.10 to 127.95.7.23: no host 23.7.95.127.in-addr.arpa. for TXT record me --oppohere $VICTORIA --oppothere $ATLANTIS # Responder says: "ipsec-oppo-me" 127.95.7.1 0.0.0.0/32 #1: gateway 127.95.7.1 claims client 127.95.7.8, but DNS for client fails to confirm: no host 8.7.95.127.in-addr.arpa. for TXT record # Initiator slowly times out. # me --oppohere $VANISHED --oppothere $ANTIGONISH ;; # stipple: test opportunism by trying a bunch of targets dstipple-serial|dstipple-parallel) # self me --name ipsec-oppo-me --delete --rsa --pfs \ --updown sally $WESTHOST --nexthop %direct \ --to --updown silly $OPPO \ --encrypt $TIMES2 ;; xstipple-serial) n=10 a=192.139.70.1 while expr $n > 0 >/dev/null do n=`expr $n - 1` me --oppohere $WESTIP --oppothere $a a=`ipnext $a` done ;; xstipple-parallel) n=10 a=192.139.70.1 while expr $n > 0 >/dev/null do n=`expr $n - 1` me --oppohere $WESTIP --oppothere $a & a=`ipnext $a` done wait ;; *) echo "$0: $i unknown" exit 1 ;; esac done