ipsec conftest¶
Synopsis¶
ipsec conftest --help show usage information ipsec conftest --version show conftest version ipsec conftest --suite <file> global testsuite configuration (default: ./suite.conf) ipsec conftest --test <file> test specific configuration
Description¶
The ipsec conftest command allows you to run preconfigured tests on IKE, based on the mainstream strongSwan stack. It can inject or mangle packets to test the behavior of other implementations under certain conditions.
To enable the command, add
--enable-conftestto the ./configure options.
Configuration¶
A test suite consists of a suite configuration file (--suite parameter) and individual test configurations (selected by the --test parameter), which use the same structure as strongswan.conf. To configure plugins, a conftest section in strongswan.conf can be used.
The README file in the conftest source has details on the possible configuration sections and options.
Specifying Host IDs¶
When using certificate DN as left|rightid in ipsec.conf, the DN is enclosed in quotation marks, like in the following example:
conn sample-with-ca-cert rightid="C=CH, O=Linux strongSwan CN=peer name"
However, the equivalent options l|rid in a conftest suite or test configuration must be written without quotation marks, otherwise there will be authentication errors.
configs { ike-sample-a { rid = C=CH, O=Linux strongSwan CN=peer name } }