if (initiatorProposal.isCompatibleWith(responderProposal)) { IkePhase1Proposal negotiatedProposal = new IkePhase1Proposal("~NEGOTIATED_IKE_P1_PROPOSAL~"); negotiatedProposal.setHashingAlgorithm(initiatorProposal.getHashingAlgorithm()); negotiatedProposal.setEncryptionAlgorithm(initiatorProposal.getEncryptionAlgorithm()); negotiatedProposal.setDiffieHellmanGroup(initiatorProposal.getDiffieHellmanGroup()); negotiatedProposal.setAuthenticationMethod(initiatorProposal.getAuthenticationMethod()); if (initiatorProposal.getLifetimeSeconds() != null && responderProposal.getLifetimeSeconds() != null) { negotiatedProposal.setLifetimeSeconds( Math.min( initiatorProposal.getLifetimeSeconds(), responderProposal.getLifetimeSeconds()));
@Override protected String featureValueOf(IkePhase1Proposal actual) { return actual.getName(); } }
private IkePhase1Proposal toIkePhase1Proposal(IkeProposal ikeProposal) { IkePhase1Proposal ikePhase1Proposal = new IkePhase1Proposal(ikeProposal.getName()); ikePhase1Proposal.setDiffieHellmanGroup(ikeProposal.getDiffieHellmanGroup()); ikePhase1Proposal.setAuthenticationMethod(ikeProposal.getAuthenticationMethod()); ikePhase1Proposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm()); ikePhase1Proposal.setLifetimeSeconds(ikeProposal.getLifetimeSeconds()); ikePhase1Proposal.setHashingAlgorithm(ikeProposal.getAuthenticationAlgorithm()); return ikePhase1Proposal; }
@Test public void testGenerateRowsIke1KeyFail() { // IPSecSession does not have IKE phase 1 key set _ipsecSessionBuilder.setNegotiatedIkeP1Proposal(new IkePhase1Proposal("test_ike_proposal")); _graph.putEdgeValue( new IpsecPeerConfigId(INITIATOR_IPSEC_PEER_CONFIG, INITIATOR_HOST_NAME), new IpsecPeerConfigId(RESPONDER_IPSEC_PEER_CONFIG, RESPONDER_HOST_NAME), _ipsecSessionBuilder.build()); Multiset<IpsecSessionInfo> ipsecSessionInfos = rawAnswer( _networkConfigurations, _graph, ImmutableSet.of(INITIATOR_HOST_NAME), ImmutableSet.of(RESPONDER_HOST_NAME)); // answer should have exactly one row assertThat(ipsecSessionInfos, hasSize(1)); assertThat( ipsecSessionInfos.iterator().next(), hasIpsecSessionStatus(equalTo(IKE_PHASE1_KEY_MISMATCH))); }
@Override protected DiffieHellmanGroup featureValueOf(IkePhase1Proposal actual) { return actual.getDiffieHellmanGroup(); } }
@Override protected IkeAuthenticationMethod featureValueOf(IkePhase1Proposal actual) { return actual.getAuthenticationMethod(); } }
@Override protected IkeHashingAlgorithm featureValueOf(IkePhase1Proposal actual) { return actual.getHashingAlgorithm(); } }
@Override protected EncryptionAlgorithm featureValueOf(IkePhase1Proposal actual) { return actual.getEncryptionAlgorithm(); } }
@Override protected Integer featureValueOf(IkePhase1Proposal actual) { return actual.getLifetimeSeconds(); } }
static IkePhase1Proposal toIkePhase1Proposal(IsakmpPolicy isakmpPolicy) { IkePhase1Proposal ikePhase1Proposal = new IkePhase1Proposal(isakmpPolicy.getName().toString()); ikePhase1Proposal.setDiffieHellmanGroup(isakmpPolicy.getDiffieHellmanGroup()); ikePhase1Proposal.setAuthenticationMethod(isakmpPolicy.getAuthenticationMethod()); ikePhase1Proposal.setEncryptionAlgorithm(isakmpPolicy.getEncryptionAlgorithm()); ikePhase1Proposal.setLifetimeSeconds(isakmpPolicy.getLifetimeSeconds()); ikePhase1Proposal.setHashingAlgorithm(isakmpPolicy.getHashAlgorithm()); return ikePhase1Proposal; }
@Test public void testGenerateRowsIpsec2Fail() { // IPSecSession does not have IPSec phase 2 proposal set _ipsecSessionBuilder.setNegotiatedIkeP1Proposal(new IkePhase1Proposal("test_ike_proposal")); _ipsecSessionBuilder.setNegotiatedIkeP1Key(new IkePhase1Key()); _graph.putEdgeValue( new IpsecPeerConfigId(INITIATOR_IPSEC_PEER_CONFIG, INITIATOR_HOST_NAME), new IpsecPeerConfigId(RESPONDER_IPSEC_PEER_CONFIG, RESPONDER_HOST_NAME), _ipsecSessionBuilder.build()); Multiset<IpsecSessionInfo> ipsecSessionInfos = rawAnswer( _networkConfigurations, _graph, ImmutableSet.of(INITIATOR_HOST_NAME), ImmutableSet.of(RESPONDER_HOST_NAME)); // answer should have exactly one row assertThat(ipsecSessionInfos, hasSize(1)); assertThat( ipsecSessionInfos.iterator().next(), hasIpsecSessionStatus(equalTo(IPSEC_PHASE2_FAILED))); }
@Nonnull private static IkePhase1Proposal toIkePhase1Proposal( String proposalName, IpsecTunnel ipsecTunnel) { IkePhase1Proposal ikePhase1Proposal = new IkePhase1Proposal(proposalName); if (ipsecTunnel.getIkePreSharedKeyHash() != null) { ikePhase1Proposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS); } ikePhase1Proposal.setHashingAlgorithm( toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol())); ikePhase1Proposal.setDiffieHellmanGroup( toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy())); ikePhase1Proposal.setEncryptionAlgorithm( toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol())); return ikePhase1Proposal; }
@Test public void testGenerateRowsIpsecEstablished() { // IPSecSession has all phases negotiated and IKE phase 1 key consistent _ipsecSessionBuilder.setNegotiatedIkeP1Proposal(new IkePhase1Proposal("test_ike_proposal")); _ipsecSessionBuilder.setNegotiatedIkeP1Key(new IkePhase1Key()); _ipsecSessionBuilder.setNegotiatedIpsecP2Proposal(new IpsecPhase2Proposal()); _graph.putEdgeValue( new IpsecPeerConfigId(INITIATOR_IPSEC_PEER_CONFIG, INITIATOR_HOST_NAME), new IpsecPeerConfigId(RESPONDER_IPSEC_PEER_CONFIG, RESPONDER_HOST_NAME), _ipsecSessionBuilder.build()); Multiset<IpsecSessionInfo> ipsecSessionInfos = rawAnswer( _networkConfigurations, _graph, ImmutableSet.of(INITIATOR_HOST_NAME), ImmutableSet.of(RESPONDER_HOST_NAME)); // answer should have exactly one row assertThat(ipsecSessionInfos, hasSize(1)); assertThat( ipsecSessionInfos.iterator().next(), hasIpsecSessionStatus(equalTo(IPSEC_SESSION_ESTABLISHED))); }
c.getIkePhase1Proposals().put(ikePhase1Proposal.getName(), ikePhase1Proposal);
String newIkeProposalName = ikeGroupName + ":" + ikeProposalEntry.getKey(); IkeProposal ikeProposal = ikeProposalEntry.getValue(); IkePhase1Proposal ikePhase1Proposal = new IkePhase1Proposal(newIkeProposalName); ikePhase1Proposal.setDiffieHellmanGroup(ikeProposal.getDhGroup()); ikePhase1Proposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm()); ikePhase1Proposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds()); ikePhase1Proposal.setHashingAlgorithm( ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm()); ikePhase1Proposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode()); ikePhase1ProposalMapBuilder.put(newIkeProposalName, ikePhase1Proposal); ikePhase1Policy.getIkePhase1Proposals().add(newIkeProposalName);
ImmutableSortedMap.of(ikePhase1PolicyName, new IkePhase1Policy(ikePhase1PolicyName))); config.setIkePhase1Proposals( ImmutableSortedMap.of(ikePhase1ProposalName, new IkePhase1Proposal(ikePhase1ProposalName))); config.setIpAccessLists( ImmutableSortedMap.of(ipAccessListName, new IpAccessList(ipAccessListName)));