testing: migrated openssl-ikev2/critical-extension to swanctl

Author: strongX509

testing/tests/openssl-ikev2/critical-extension/description.txt

@@ -1,5 +1,5 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
 The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
 extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
 <b>sun</b> discards such certificates and aborts the connection setup.

testing/tests/openssl-ikev2/critical-extension/evaltest.dat

@@ -1,6 +1,4 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
 sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES

testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf

@@ -1,9 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
   multiple_authentication = no
+}
 
+libstrongswan {
   x509 {
     enforce_critical = no
   }

…sts/moon/etc/ipsec.d/private/moonKey.pem …n/hosts/moon/etc/swanctl/rsa/moonKey.pemtesting/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem renamed to testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem renamed to testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem

@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}

testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf

@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
   multiple_authentication = no
 }

…osts/moon/etc/ipsec.d/certs/moonCert.der …hosts/moon/etc/swanctl/x509/moonCert.dertesting/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der renamed to testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der renamed to testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der

@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+             esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}