vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / strongswan-swanctl.nix
blob0cf181ee62a56c224f06ea4d852d896820ec9566
1 # This strongswan-swanctl test is based on:
2 # https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html
3 # https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4
5 # The roadwarrior carol sets up a connection to gateway moon. The authentication
6 # is based on pre-shared keys and IPv4 addresses. Upon the successful
7 # establishment of the IPsec tunnels, the specified updown script automatically
8 # inserts iptables-based firewall rules that let pass the tunneled traffic. In
9 # order to test both tunnel and firewall, carol pings the client alice behind
10 # the gateway moon.
12 #     alice                       moon                        carol
13 #      eth1------vlan_0------eth1        eth2------vlan_1------eth1
14 #   192.168.0.1         192.168.0.3  192.168.1.3           192.168.1.2
16 # See the NixOS manual for how to run this test:
17 # https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively
19 import ./make-test-python.nix ({ pkgs, ...} :
21 let
22   allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT";
24   # Shared VPN settings:
25   vlan0         = "192.168.0.0/24";
26   carolIp       = "192.168.1.2";
27   moonIp        = "192.168.1.3";
28   version       = 2;
29   secret        = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx";
30   esp_proposals = [ "aes128gcm128-x25519" ];
31   proposals     = [ "aes128-sha256-x25519" ];
32 in {
33   name = "strongswan-swanctl";
34   meta.maintainers = with pkgs.lib.maintainers; [ basvandijk ];
35   nodes = {
37     alice = { ... } : {
38       virtualisation.vlans = [ 0 ];
39       networking = {
40         dhcpcd.enable = false;
41         defaultGateway = "192.168.0.3";
42       };
43     };
45     moon = { config, ...} :
46       let strongswan = config.services.strongswan-swanctl.package;
47       in {
48         virtualisation.vlans = [ 0 1 ];
49         networking = {
50           dhcpcd.enable = false;
51           firewall = {
52             allowedUDPPorts = [ 4500 500 ];
53             extraCommands = allowESP;
54           };
55           nat = {
56             enable             = true;
57             internalIPs        = [ vlan0 ];
58             internalInterfaces = [ "eth1" ];
59             externalIP         = moonIp;
60             externalInterface  = "eth2";
61           };
62         };
63         environment.systemPackages = [ strongswan ];
64         services.strongswan-swanctl = {
65           enable = true;
66           swanctl = {
67             connections = {
68               rw = {
69                 local_addrs = [ moonIp ];
70                 local.main = {
71                   auth = "psk";
72                 };
73                 remote.main = {
74                   auth = "psk";
75                 };
76                 children = {
77                   net = {
78                     local_ts = [ vlan0 ];
79                     updown = "${strongswan}/libexec/ipsec/_updown iptables";
80                     inherit esp_proposals;
81                   };
82                 };
83                 inherit version;
84                 inherit proposals;
85               };
86             };
87             secrets = {
88               ike.carol = {
89                 id.main = carolIp;
90                 inherit secret;
91               };
92             };
93           };
94         };
95       };
97     carol = { config, ...} :
98       let strongswan = config.services.strongswan-swanctl.package;
99       in {
100         virtualisation.vlans = [ 1 ];
101         networking = {
102           dhcpcd.enable = false;
103           firewall.extraCommands = allowESP;
104         };
105         environment.systemPackages = [ strongswan ];
106         services.strongswan-swanctl = {
107           enable = true;
108           swanctl = {
109             connections = {
110               home = {
111                 local_addrs = [ carolIp ];
112                 remote_addrs = [ moonIp ];
113                 local.main = {
114                   auth = "psk";
115                   id = carolIp;
116                 };
117                 remote.main = {
118                   auth = "psk";
119                   id = moonIp;
120                 };
121                 children = {
122                   home = {
123                     remote_ts = [ vlan0 ];
124                     start_action = "trap";
125                     updown = "${strongswan}/libexec/ipsec/_updown iptables";
126                     inherit esp_proposals;
127                   };
128                 };
129                 inherit version;
130                 inherit proposals;
131               };
132             };
133             secrets = {
134               ike.moon = {
135                 id.main = moonIp;
136                 inherit secret;
137               };
138             };
139           };
140         };
141       };
143   };
144   testScript = ''
145     start_all()
146     carol.wait_until_succeeds("ping -c 1 alice")
147   '';