PRE-TEST winnetou# /etc/init.d/slapd start * Starting ldap-server ... [ ok ] adding new entry "o=Linux strongSwan, c=CH" adding new entry "cn=Manager,o=Linux strongSwan, c=CH" adding new entry "cn=strongSwan Root CA, o=Linux strongSwan, c=CH" adding new entry "ou=Research, o=Linux strongSwan, c=CH" adding new entry "cn=Research CA, ou=Research, o=Linux strongSwan, c=CH" adding new entry "ou=Sales, o=Linux strongSwan, c=CH" adding new entry "cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH" moon# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# ipsec start Starting strongSwan IPsec 2.8.11 [starter]... carol# ipsec start Starting strongSwan IPsec 2.8.11 [starter]... carol# sleep 2 carol# ipsec up home 002 "home" #1: initiating Main Mode 104 "home" #1: STATE_MAIN_I1: initiate 003 "home" #1: ignoring Vendor ID payload [strongSwan 2.8.11] 003 "home" #1: received Vendor ID payload [XAUTH] 003 "home" #1: received Vendor ID payload [Dead Peer Detection] 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "home" #1: we have a cert and are sending it 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 002 "home" #1: X.509 certificate rejected 003 "home" #1: no RSA public key known for '@moon.strongswan.org' 217 "home" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION 002 "home" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.0.1:500 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 40s for response 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: ISAKMP SA established 004 "home" #1: STATE_MAIN_I4: ISAKMP SA established 002 "home" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "home" #2: STATE_QUICK_I1: initiate 002 "home" #2: sent QI2, IPsec SA established {ESP=>0x9b1348f7 <0x80ac4d30} 004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9b1348f7 <0x80ac4d30} carol# sleep 3 TEST moon# cat /var/log/auth.log | grep 'loaded crl file' [YES] Jul 20 06:53:15 moon pluto[5543]: loaded crl file '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) carol# cat /var/log/auth.log | grep 'loaded crl file' [YES] Jul 20 06:53:16 carol pluto[5015]: loaded crl file '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) moon# cat /var/log/auth.log | grep 'crl update is overdue' [YES] Jul 20 06:53:18 moon pluto[5543]: "rw"[1] 192.168.0.100 #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 carol# cat /var/log/auth.log | grep 'crl update is overdue' [YES] Jul 20 06:53:29 carol pluto[5015]: "home" #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 moon# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Jul 20 06:53:18 moon pluto[5543]: "rw"[1] 192.168.0.100 #1: X.509 certificate rejected carol# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Jul 20 06:53:29 carol pluto[5015]: "home" #1: X.509 certificate rejected moon# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Jul 20 06:53:29 moon pluto[5543]: "rw"[2] 192.168.0.100 #1: ignoring informational payload, type INVALID_KEY_INFORMATION carol# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Jul 20 06:53:18 carol pluto[5015]: "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION moon# cat /var/log/auth.log | grep 'Trying LDAP URL' [YES] Jul 20 06:53:28 moon pluto[5543]: | Trying LDAP URL 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' carol# cat /var/log/auth.log | grep 'Trying LDAP URL' [YES] Jul 20 06:53:39 carol pluto[5015]: | Trying LDAP URL 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' moon# ipsec status | grep 'rw.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #2: "rw"[2] 192.168.0.100 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1103s; newest IPSEC; eroute owner carol# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 843s; newest IPSEC; eroute owner moon# cat /var/log/auth.log | grep 'written crl file' [YES] Jul 20 06:53:28 moon pluto[5543]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) carol# cat /var/log/auth.log | grep 'written crl file' [YES] Jul 20 06:53:39 carol pluto[5015]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) moon# ipsec listcrls | grep ' ok' [YES] 000 next Aug 19 06:25:52 2009 ok carol# ipsec listcrls | grep ' ok' [YES] 000 next Aug 19 06:25:52 2009 ok POST-TEST moon# iptables -v -n -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 8 5360 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 6 1016 ACCEPT tcp -- eth0 * 192.168.0.150 0.0.0.0/0 tcp spt:389 479 53886 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 192.168.0.100 10.1.0.0/16 policy match dir in pol ipsec reqid 16401 proto 50 0 0 ACCEPT all -- * eth0 10.1.0.0/16 192.168.0.100 policy match dir out pol ipsec reqid 16401 proto 50 Chain OUTPUT (policy DROP 3 packets, 180 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0 6 3696 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 9 610 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.0.150 tcp dpt:389 575 243K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 carol# iptables -v -n -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 10.1.0.0/16 192.168.0.100 policy match dir in pol ipsec reqid 16385 proto 50 0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 6 3696 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 6 1016 ACCEPT tcp -- eth0 * 192.168.0.150 0.0.0.0/0 tcp spt:389 475 59819 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 3 packets, 180 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 192.168.0.100 10.1.0.0/16 policy match dir out pol ipsec reqid 16385 proto 50 0 0 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0 8 5360 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 9 610 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.0.150 tcp dpt:389 619 242K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... winnetou# /etc/init.d/slapd stop * Stopping ldap-server ... [ ok ] moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] moon# rm /etc/ipsec.d/crls/* carol# rm /etc/ipsec.d/crls/*