PRE-TEST winnetou# /etc/init.d/slapd start * Starting ldap-server ... [ ok ] adding new entry "o=Linux strongSwan, c=CH" adding new entry "cn=Manager,o=Linux strongSwan, c=CH" adding new entry "cn=strongSwan Root CA, o=Linux strongSwan, c=CH" adding new entry "ou=Research, o=Linux strongSwan, c=CH" adding new entry "cn=Research CA, ou=Research, o=Linux strongSwan, c=CH" adding new entry "ou=Sales, o=Linux strongSwan, c=CH" adding new entry "cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH" moon# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# ipsec start Starting strongSwan IPsec 2.8.8 [starter]... carol# ipsec start Starting strongSwan IPsec 2.8.8 [starter]... carol# sleep 2 carol# ipsec up home 002 "home" #1: initiating Main Mode 104 "home" #1: STATE_MAIN_I1: initiate 003 "home" #1: ignoring Vendor ID payload [strongSwan 2.8.8] 003 "home" #1: received Vendor ID payload [XAUTH] 003 "home" #1: received Vendor ID payload [Dead Peer Detection] 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "home" #1: we have a cert and are sending it 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 002 "home" #1: X.509 certificate rejected 003 "home" #1: no RSA public key known for '@moon.strongswan.org' 217 "home" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION 002 "home" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.0.1:500 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 40s for response 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: ISAKMP SA established 004 "home" #1: STATE_MAIN_I4: ISAKMP SA established 002 "home" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "home" #2: STATE_QUICK_I1: initiate 002 "home" #2: sent QI2, IPsec SA established {ESP=>0xd5b9dd4f <0xdb24f0d5} 004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xd5b9dd4f <0xdb24f0d5} carol# sleep 3 TEST moon# cat /var/log/auth.log | grep 'loaded crl file' [YES] Dec 6 11:59:18 moon pluto[18638]: loaded crl file '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) carol# cat /var/log/auth.log | grep 'loaded crl file' [YES] Dec 6 11:59:19 carol pluto[14625]: loaded crl file '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) moon# cat /var/log/auth.log | grep 'crl update is overdue' [YES] Dec 6 11:59:21 moon pluto[18638]: "rw"[1] 192.168.0.100 #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 carol# cat /var/log/auth.log | grep 'crl update is overdue' [YES] Dec 6 11:59:32 carol pluto[14625]: "home" #1: crl update is overdue since Jul 20 21:40:37 UTC 2005 moon# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Dec 6 11:59:21 moon pluto[18638]: "rw"[1] 192.168.0.100 #1: X.509 certificate rejected carol# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Dec 6 11:59:32 carol pluto[14625]: "home" #1: X.509 certificate rejected moon# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Dec 6 11:59:32 moon pluto[18638]: "rw"[2] 192.168.0.100 #1: ignoring informational payload, type INVALID_KEY_INFORMATION carol# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Dec 6 11:59:21 carol pluto[14625]: "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION moon# cat /var/log/auth.log | grep 'Trying LDAP URL' [YES] Dec 6 11:59:31 moon pluto[18638]: | Trying LDAP URL 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' carol# cat /var/log/auth.log | grep 'Trying LDAP URL' [YES] Dec 6 11:59:42 carol pluto[14625]: | Trying LDAP URL 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' moon# ipsec status | grep 'rw.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #2: "rw"[2] 192.168.0.100 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1106s; newest IPSEC; eroute owner carol# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 908s; newest IPSEC; eroute owner moon# cat /var/log/auth.log | grep 'written crl file' [YES] Dec 6 11:59:31 moon pluto[18638]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) carol# cat /var/log/auth.log | grep 'written crl file' [YES] Dec 6 11:59:42 carol pluto[14625]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (560 bytes) moon# ipsec listcrls | grep ' ok' [YES] 000 next Jan 05 11:52:01 2008 ok carol# ipsec listcrls | grep ' ok' [YES] 000 next Jan 05 11:52:01 2008 ok POST-TEST moon# iptables -v -n -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 8 5360 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 7 1068 ACCEPT tcp -- eth0 * 192.168.0.150 0.0.0.0/0 tcp spt:389 306 42272 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 192.168.0.100 10.1.0.0/16 policy match dir in pol ipsec reqid 16401 proto 50 0 0 ACCEPT all -- * eth0 10.1.0.0/16 192.168.0.100 policy match dir out pol ipsec reqid 16401 proto 50 Chain OUTPUT (policy DROP 4 packets, 296 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0 6 3696 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 8 558 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.0.150 tcp dpt:389 382 224K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 carol# iptables -v -n -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 10.1.0.0/16 192.168.0.100 policy match dir in pol ipsec reqid 16385 proto 50 0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 6 3696 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 6 1016 ACCEPT tcp -- eth0 * 192.168.0.150 0.0.0.0/0 tcp spt:389 382 51804 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 4 packets, 296 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 192.168.0.100 10.1.0.0/16 policy match dir out pol ipsec reqid 16385 proto 50 0 0 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0 8 5360 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 9 610 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.0.150 tcp dpt:389 449 228K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... winnetou# /etc/init.d/slapd stop * Stopping ldap-server ... [ ok ] moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] moon# rm /etc/ipsec.d/crls/* carol# rm /etc/ipsec.d/crls/*