2017-08-05 12:01:52 +00:00
|
|
|
# This strongswan-swanctl test is based on:
|
|
|
|
# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html
|
|
|
|
# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4
|
|
|
|
#
|
|
|
|
# The roadwarrior carol sets up a connection to gateway moon. The authentication
|
|
|
|
# is based on pre-shared keys and IPv4 addresses. Upon the successful
|
|
|
|
# establishment of the IPsec tunnels, the specified updown script automatically
|
|
|
|
# inserts iptables-based firewall rules that let pass the tunneled traffic. In
|
|
|
|
# order to test both tunnel and firewall, carol pings the client alice behind
|
|
|
|
# the gateway moon.
|
|
|
|
#
|
|
|
|
# alice moon carol
|
|
|
|
# eth1------vlan_0------eth1 eth2------vlan_1------eth1
|
|
|
|
# 192.168.0.1 192.168.0.3 192.168.1.3 192.168.1.2
|
|
|
|
#
|
|
|
|
# See the NixOS manual for how to run this test:
|
|
|
|
# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively
|
|
|
|
|
2019-11-06 11:43:08 +00:00
|
|
|
import ./make-test-python.nix (
|
|
|
|
{ pkgs, ... }:
|
2017-08-05 12:01:52 +00:00
|
|
|
|
|
|
|
let
|
|
|
|
allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT";
|
|
|
|
|
|
|
|
# Shared VPN settings:
|
|
|
|
vlan0 = "192.168.0.0/24";
|
2018-02-28 10:44:00 +00:00
|
|
|
carolIp = "192.168.1.2";
|
|
|
|
moonIp = "192.168.1.3";
|
2017-08-05 12:01:52 +00:00
|
|
|
version = 2;
|
|
|
|
secret = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx";
|
|
|
|
esp_proposals = [ "aes128gcm128-x25519" ];
|
|
|
|
proposals = [ "aes128-sha256-x25519" ];
|
|
|
|
in
|
|
|
|
{
|
|
|
|
name = "strongswan-swanctl";
|
2021-01-10 19:08:30 +00:00
|
|
|
meta.maintainers = with pkgs.lib.maintainers; [ basvandijk ];
|
2017-08-05 12:01:52 +00:00
|
|
|
nodes = {
|
|
|
|
|
2018-07-20 20:56:59 +00:00
|
|
|
alice =
|
|
|
|
{ ... }:
|
|
|
|
{
|
2017-08-05 12:01:52 +00:00
|
|
|
virtualisation.vlans = [ 0 ];
|
|
|
|
networking = {
|
|
|
|
dhcpcd.enable = false;
|
|
|
|
defaultGateway = "192.168.0.3";
|
|
|
|
};
|
|
|
|
};
|
2024-12-10 19:26:33 +00:00
|
|
|
|
|
|
|
moon =
|
2018-07-20 20:56:59 +00:00
|
|
|
{ config, ... }:
|
2024-12-10 19:26:33 +00:00
|
|
|
let
|
2018-02-28 10:44:00 +00:00
|
|
|
strongswan = config.services.strongswan-swanctl.package;
|
2024-12-10 19:26:33 +00:00
|
|
|
in
|
|
|
|
{
|
2017-08-05 12:01:52 +00:00
|
|
|
virtualisation.vlans = [
|
2024-12-10 19:26:33 +00:00
|
|
|
0
|
|
|
|
1
|
|
|
|
];
|
2017-08-05 12:01:52 +00:00
|
|
|
networking = {
|
|
|
|
dhcpcd.enable = false;
|
|
|
|
firewall = {
|
|
|
|
allowedUDPPorts = [
|
2024-12-10 19:26:33 +00:00
|
|
|
4500
|
|
|
|
500
|
|
|
|
];
|
2017-08-05 12:01:52 +00:00
|
|
|
extraCommands = allowESP;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
|
|
|
nat = {
|
2017-08-05 12:01:52 +00:00
|
|
|
enable = true;
|
|
|
|
internalIPs = [ vlan0 ];
|
|
|
|
internalInterfaces = [ "eth1" ];
|
|
|
|
externalIP = moonIp;
|
|
|
|
externalInterface = "eth2";
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
environment.systemPackages = [ strongswan ];
|
|
|
|
services.strongswan-swanctl = {
|
|
|
|
enable = true;
|
|
|
|
swanctl = {
|
|
|
|
connections = {
|
2019-08-13 21:52:01 +00:00
|
|
|
rw = {
|
2017-08-05 12:01:52 +00:00
|
|
|
local_addrs = [ moonIp ];
|
2019-08-13 21:52:01 +00:00
|
|
|
local.main = {
|
2017-08-05 12:01:52 +00:00
|
|
|
auth = "psk";
|
|
|
|
};
|
2019-08-13 21:52:01 +00:00
|
|
|
remote.main = {
|
2017-08-05 12:01:52 +00:00
|
|
|
auth = "psk";
|
|
|
|
};
|
|
|
|
children = {
|
2019-08-13 21:52:01 +00:00
|
|
|
net = {
|
2017-08-05 12:01:52 +00:00
|
|
|
local_ts = [ vlan0 ];
|
|
|
|
updown = "${strongswan}/libexec/ipsec/_updown iptables";
|
|
|
|
inherit esp_proposals;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
};
|
|
|
|
inherit version;
|
|
|
|
inherit proposals;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
secrets = {
|
2019-08-13 21:52:01 +00:00
|
|
|
ike.carol = {
|
|
|
|
id.main = carolIp;
|
2017-08-05 12:01:52 +00:00
|
|
|
inherit secret;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2018-07-20 20:56:59 +00:00
|
|
|
carol =
|
|
|
|
{ config, ... }:
|
2018-02-28 10:44:00 +00:00
|
|
|
let
|
|
|
|
strongswan = config.services.strongswan-swanctl.package;
|
2017-08-05 12:01:52 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
virtualisation.vlans = [ 1 ];
|
|
|
|
networking = {
|
|
|
|
dhcpcd.enable = false;
|
|
|
|
firewall.extraCommands = allowESP;
|
|
|
|
};
|
|
|
|
environment.systemPackages = [ strongswan ];
|
|
|
|
services.strongswan-swanctl = {
|
|
|
|
enable = true;
|
|
|
|
swanctl = {
|
|
|
|
connections = {
|
2019-08-13 21:52:01 +00:00
|
|
|
home = {
|
2017-08-05 12:01:52 +00:00
|
|
|
local_addrs = [ carolIp ];
|
|
|
|
remote_addrs = [ moonIp ];
|
2019-08-13 21:52:01 +00:00
|
|
|
local.main = {
|
2017-08-05 12:01:52 +00:00
|
|
|
auth = "psk";
|
|
|
|
id = carolIp;
|
|
|
|
};
|
2019-08-13 21:52:01 +00:00
|
|
|
remote.main = {
|
2017-08-05 12:01:52 +00:00
|
|
|
auth = "psk";
|
2019-08-13 21:52:01 +00:00
|
|
|
id = moonIp;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
children = {
|
2024-12-10 19:26:33 +00:00
|
|
|
home = {
|
2017-08-05 12:01:52 +00:00
|
|
|
remote_ts = [ vlan0 ];
|
|
|
|
start_action = "trap";
|
|
|
|
updown = "${strongswan}/libexec/ipsec/_updown iptables";
|
|
|
|
inherit esp_proposals;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
inherit version;
|
|
|
|
inherit proposals;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
secrets = {
|
2019-08-13 21:52:01 +00:00
|
|
|
ike.moon = {
|
|
|
|
id.main = moonIp;
|
2017-08-05 12:01:52 +00:00
|
|
|
inherit secret;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
2017-08-05 12:01:52 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
testScript = ''
|
2019-11-06 11:43:08 +00:00
|
|
|
start_all()
|
|
|
|
carol.wait_until_succeeds("ping -c 1 alice")
|
2017-08-05 12:01:52 +00:00
|
|
|
'';
|
|
|
|
}
|
|
|
|
)
|