[Swan-dev] Merging algorithm tests?

Paul Wouters paul at nohats.ca
Tue Mar 21 15:16:56 UTC 2017

On Wed, 15 Mar 2017, Andrew Cagney wrote:

> For the DH19/DH20/DH21, since the test objective was to just
> demonstrate a basic crypto suite interop, i grouped everything
> reducing the number of tests (the convention seems to be one test per
> crypto suite).  For instance, ikev2-algo-ike-dh-ecp-01's westrun.sh
> looks like:
> ../bin/libreswan-up-down.sh ikev2-ike=aes128-sha1-dh19 -I
> ../bin/libreswan-up-down.sh ikev2-ike=aes128-sha1-dh20 -I
> ../bin/libreswan-up-down.sh ikev2-ike=aes128-sha1-dh21 -I
> this seems to work remarkably well(1)(2).  I'm now wondering if this
> is a better more general approach for crypto suite interop tests like
> this.

The reason is hasnt been done is because the responder side never got
the function to change its configuration after running eastinit.sh,
so it has to have all connections loaded and finding the right host
connection then becomes mingled in the process. If we would support
a 1eastrun.sh 2westrun.sh 3eastrun.sh we could do it.

But then again, if we just fix the slowness of the tests, I would really
prefer to keep it all seperate to ensure we always test with a clean

> (1) my implementation is simple (I suspect there's a way to do this
> directly with whack; but that means learning whack :-)

just using ipsec auto with delete/add and up/down?

> (2) anyone know a way to do this with strongswan as the initiator?

strongswan AFAIK does not have add/delete, only up/down, so you would
also have to load all connections and then up/down different ones.
Their "vicci" (sp?) interface might allow it but I have no idea how
that works.


More information about the Swan-dev mailing list