1 1.5 knakahar # $NetBSD: t_ipsec_natt.sh,v 1.5 2020/06/05 03:24:58 knakahara Exp $ 2 1.1 knakahar # 3 1.1 knakahar # Copyright (c) 2018 Internet Initiative Japan Inc. 4 1.1 knakahar # All rights reserved. 5 1.1 knakahar # 6 1.1 knakahar # Redistribution and use in source and binary forms, with or without 7 1.1 knakahar # modification, are permitted provided that the following conditions 8 1.1 knakahar # are met: 9 1.1 knakahar # 1. Redistributions of source code must retain the above copyright 10 1.1 knakahar # notice, this list of conditions and the following disclaimer. 11 1.1 knakahar # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 knakahar # notice, this list of conditions and the following disclaimer in the 13 1.1 knakahar # documentation and/or other materials provided with the distribution. 14 1.1 knakahar # 15 1.1 knakahar # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 knakahar # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 knakahar # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 knakahar # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 knakahar # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 knakahar # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 knakahar # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 knakahar # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 knakahar # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 knakahar # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 knakahar # POSSIBILITY OF SUCH DAMAGE. 26 1.1 knakahar # 27 1.1 knakahar 28 1.2 knakahar SOCK_LOCAL_A=unix://ipsec_natt_local_a 29 1.2 knakahar SOCK_LOCAL_B=unix://ipsec_natt_local_b 30 1.1 knakahar SOCK_NAT=unix://ipsec_natt_nat 31 1.1 knakahar SOCK_REMOTE=unix://ipsec_natt_remote 32 1.1 knakahar BUS_LOCAL=./bus_ipsec_natt_local 33 1.1 knakahar BUS_NAT=./bus_ipsec_natt_nat 34 1.1 knakahar 35 1.1 knakahar DEBUG=${DEBUG:-false} 36 1.1 knakahar 37 1.1 knakahar setup_servers() 38 1.1 knakahar { 39 1.1 knakahar 40 1.2 knakahar rump_server_crypto_start $SOCK_LOCAL_A netipsec ipsec 41 1.2 knakahar rump_server_crypto_start $SOCK_LOCAL_B netipsec ipsec 42 1.1 knakahar rump_server_npf_start $SOCK_NAT 43 1.1 knakahar rump_server_crypto_start $SOCK_REMOTE netipsec ipsec 44 1.2 knakahar rump_server_add_iface $SOCK_LOCAL_A shmif0 $BUS_LOCAL 45 1.2 knakahar rump_server_add_iface $SOCK_LOCAL_B shmif0 $BUS_LOCAL 46 1.1 knakahar rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL 47 1.1 knakahar rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT 48 1.1 knakahar rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT 49 1.1 knakahar } 50 1.1 knakahar 51 1.1 knakahar setup_ipsecif() 52 1.1 knakahar { 53 1.1 knakahar local sock=$1 54 1.1 knakahar local ifid=$2 55 1.1 knakahar local src_ip=$3 56 1.1 knakahar local src_port=$4 57 1.1 knakahar local dst_ip=$5 58 1.1 knakahar local dst_port=$6 59 1.1 knakahar local ipsecif_ip=$7 60 1.1 knakahar local peer_ip=$8 61 1.1 knakahar 62 1.1 knakahar export RUMP_SERVER=$sock 63 1.3 ozaki rump_server_add_iface $sock ipsec$ifid 64 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec$ifid link0 # enable NAT-T 65 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec$ifid tunnel ${src_ip},${src_port} ${dst_ip},${dst_port} 66 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec$ifid ${ipsecif_ip}/32 67 1.1 knakahar atf_check -s exit:0 -o ignore \ 68 1.1 knakahar rump.route -n add ${peer_ip}/32 $ipsecif_ip 69 1.1 knakahar } 70 1.1 knakahar 71 1.1 knakahar add_sa() 72 1.1 knakahar { 73 1.1 knakahar local sock=$1 74 1.1 knakahar local proto=$2 75 1.1 knakahar local algo_args="$3" 76 1.1 knakahar local src_ip=$4 77 1.1 knakahar local src_port=$5 78 1.1 knakahar local dst_ip=$6 79 1.1 knakahar local dst_port=$7 80 1.1 knakahar local out_spi=$8 81 1.1 knakahar local in_spi=$9 82 1.1 knakahar local tmpfile=./tmp 83 1.1 knakahar 84 1.1 knakahar export RUMP_SERVER=$sock 85 1.1 knakahar cat > $tmpfile <<-EOF 86 1.1 knakahar add $src_ip [$src_port] $dst_ip [$dst_port] $proto $out_spi -m transport $algo_args; 87 1.1 knakahar add $dst_ip [$dst_port] $src_ip [$src_port] $proto $in_spi -m transport $algo_args; 88 1.1 knakahar EOF 89 1.1 knakahar $DEBUG && cat $tmpfile 90 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 91 1.1 knakahar # XXX it can be expired if $lifetime is very short 92 1.1 knakahar #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 93 1.1 knakahar } 94 1.1 knakahar 95 1.1 knakahar prepare_file() 96 1.1 knakahar { 97 1.1 knakahar local file=$1 98 1.1 knakahar local data="0123456789" 99 1.1 knakahar 100 1.1 knakahar touch $file 101 1.1 knakahar for i in `seq 1 512` 102 1.1 knakahar do 103 1.1 knakahar echo $data >> $file 104 1.1 knakahar done 105 1.1 knakahar } 106 1.1 knakahar 107 1.1 knakahar build_npf_conf() 108 1.1 knakahar { 109 1.1 knakahar local outfile=$1 110 1.1 knakahar local localnet=$2 111 1.1 knakahar 112 1.1 knakahar cat > $outfile <<-EOF 113 1.1 knakahar set bpf.jit off 114 1.1 knakahar \$int_if = inet4(shmif0) 115 1.1 knakahar \$ext_if = inet4(shmif1) 116 1.1 knakahar \$localnet = { $localnet } 117 1.1 knakahar map \$ext_if dynamic \$localnet -> \$ext_if 118 1.1 knakahar group "external" on \$ext_if { 119 1.1 knakahar pass stateful out final all 120 1.1 knakahar } 121 1.1 knakahar group "internal" on \$int_if { 122 1.1 knakahar block in all 123 1.1 knakahar pass in final from \$localnet 124 1.1 knakahar pass out final all 125 1.1 knakahar } 126 1.1 knakahar group default { 127 1.1 knakahar pass final on lo0 all 128 1.1 knakahar block all 129 1.1 knakahar } 130 1.1 knakahar EOF 131 1.1 knakahar } 132 1.1 knakahar 133 1.1 knakahar PIDSFILE=./terminator.pids 134 1.1 knakahar start_natt_terminator() 135 1.1 knakahar { 136 1.1 knakahar local sock=$1 137 1.1 knakahar local ip=$2 138 1.1 knakahar local port=$3 139 1.1 knakahar local pidsfile=$4 140 1.1 knakahar local backup=$RUMP_SERVER 141 1.1 knakahar local pid= 142 1.1 knakahar local terminator="$(atf_get_srcdir)/../ipsec/natt_terminator" 143 1.1 knakahar 144 1.1 knakahar export RUMP_SERVER=$sock 145 1.1 knakahar 146 1.1 knakahar env LD_PRELOAD=/usr/lib/librumphijack.so \ 147 1.1 knakahar $terminator $ip $port & 148 1.1 knakahar pid=$! 149 1.1 knakahar if [ ! -f $PIDSFILE ]; then 150 1.1 knakahar touch $PIDSFILE 151 1.1 knakahar fi 152 1.1 knakahar echo $pid >> $PIDSFILE 153 1.1 knakahar 154 1.1 knakahar $DEBUG && rump.netstat -a -f inet 155 1.1 knakahar 156 1.1 knakahar export RUMP_SERVER=$backup 157 1.1 knakahar 158 1.1 knakahar sleep 1 159 1.1 knakahar } 160 1.1 knakahar 161 1.1 knakahar stop_natt_terminators() 162 1.1 knakahar { 163 1.1 knakahar local pid= 164 1.1 knakahar 165 1.1 knakahar if [ ! -f $PIDSFILE ]; then 166 1.1 knakahar return 167 1.1 knakahar fi 168 1.1 knakahar 169 1.1 knakahar for pid in $(cat $PIDSFILE); do 170 1.1 knakahar kill -9 $pid 171 1.1 knakahar done 172 1.1 knakahar rm -f $PIDSFILE 173 1.1 knakahar } 174 1.1 knakahar 175 1.1 knakahar check_ping_packets() 176 1.1 knakahar { 177 1.1 knakahar local sock=$1 178 1.1 knakahar local bus=$2 179 1.1 knakahar local from_ip=$3 180 1.1 knakahar local to_ip=$4 181 1.1 knakahar 182 1.1 knakahar local outfile=./out.ping 183 1.1 knakahar 184 1.1 knakahar extract_new_packets $bus > $outfile 185 1.1 knakahar 186 1.1 knakahar export RUMP_SERVER=$sock 187 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $to_ip 188 1.1 knakahar 189 1.1 knakahar extract_new_packets $bus > $outfile 190 1.1 knakahar $DEBUG && cat $outfile 191 1.1 knakahar atf_check -s exit:0 \ 192 1.1 knakahar -o match:"$from_ip > $to_ip: ICMP echo request" \ 193 1.1 knakahar cat $outfile 194 1.1 knakahar atf_check -s exit:0 \ 195 1.1 knakahar -o match:"$to_ip > $from_ip: ICMP echo reply" \ 196 1.1 knakahar cat $outfile 197 1.1 knakahar } 198 1.1 knakahar 199 1.1 knakahar check_ping_packets_over_ipsecif() 200 1.1 knakahar { 201 1.1 knakahar local sock=$1 202 1.1 knakahar local bus=$2 203 1.1 knakahar local to_ip=$3 204 1.1 knakahar local nat_from_ip=$4 205 1.1 knakahar local nat_from_port=$5 206 1.1 knakahar local nat_to_ip=$6 207 1.1 knakahar local nat_to_port=$7 208 1.1 knakahar 209 1.1 knakahar local outfile=./out.ping_over_ipsecif 210 1.1 knakahar 211 1.1 knakahar extract_new_packets $bus > $outfile 212 1.1 knakahar 213 1.1 knakahar export RUMP_SERVER=$sock 214 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 7 $to_ip 215 1.1 knakahar 216 1.1 knakahar # Check both ports and UDP encapsulation 217 1.1 knakahar extract_new_packets $bus > $outfile 218 1.1 knakahar $DEBUG && cat $outfile 219 1.1 knakahar atf_check -s exit:0 \ 220 1.1 knakahar -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 221 1.1 knakahar cat $outfile 222 1.1 knakahar atf_check -s exit:0 \ 223 1.1 knakahar -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 224 1.1 knakahar cat $outfile 225 1.1 knakahar } 226 1.1 knakahar 227 1.1 knakahar check_tcp_com_prepare() 228 1.1 knakahar { 229 1.1 knakahar local server_sock=$1 230 1.1 knakahar local client_sock=$2 231 1.1 knakahar local bus=$3 232 1.1 knakahar local to_ip=$4 233 1.1 knakahar local nat_from_ip=$5 234 1.1 knakahar local nat_to_ip=$6 235 1.1 knakahar 236 1.1 knakahar local outfile=./out.prepare 237 1.1 knakahar local file_send=./file.send.prepare 238 1.1 knakahar local file_recv=./file.recv.prepare 239 1.1 knakahar 240 1.1 knakahar extract_new_packets $bus > $outfile 241 1.1 knakahar 242 1.1 knakahar start_nc_server $server_sock 4501 $file_recv ipv4 243 1.1 knakahar 244 1.1 knakahar prepare_file $file_send 245 1.1 knakahar export RUMP_SERVER=$client_sock 246 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 3 $to_ip 4501 < $file_send 247 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 248 1.1 knakahar extract_new_packets $bus > $outfile 249 1.1 knakahar $DEBUG && cat $outfile 250 1.1 knakahar atf_check -s exit:0 \ 251 1.1 knakahar -o match:"${nat_from_ip}\.[0-9]+ > ${nat_to_ip}\.4501" \ 252 1.1 knakahar cat $outfile 253 1.1 knakahar atf_check -s exit:0 \ 254 1.1 knakahar -o match:"${nat_to_ip}\.4501 > ${nat_from_ip}\.[0-9]+" \ 255 1.1 knakahar cat $outfile 256 1.1 knakahar 257 1.1 knakahar stop_nc_server 258 1.1 knakahar } 259 1.1 knakahar 260 1.1 knakahar check_tcp_com_over_ipsecif() 261 1.1 knakahar { 262 1.1 knakahar local server_sock=$1 263 1.1 knakahar local client_sock=$2 264 1.1 knakahar local bus=$3 265 1.1 knakahar local to_ip=$4 266 1.1 knakahar local nat_from_ip=$5 267 1.1 knakahar local nat_from_port=$6 268 1.1 knakahar local nat_to_ip=$7 269 1.1 knakahar local nat_to_port=$8 270 1.1 knakahar 271 1.1 knakahar local outfile=./out.ipsecif 272 1.1 knakahar local file_send=./file.send.ipsecif 273 1.1 knakahar local file_recv=./file.recv.ipsecif 274 1.1 knakahar 275 1.1 knakahar extract_new_packets $bus > $outfile 276 1.1 knakahar 277 1.1 knakahar start_nc_server $server_sock 4501 $file_recv ipv4 278 1.1 knakahar prepare_file $file_send 279 1.1 knakahar export RUMP_SERVER=$client_sock 280 1.1 knakahar atf_check -s exit:0 -o ignore $HIJACKING nc -w 7 $to_ip 4501 < $file_send 281 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 282 1.1 knakahar stop_nc_server 283 1.1 knakahar 284 1.1 knakahar # Check both ports and UDP encapsulation 285 1.1 knakahar extract_new_packets $bus > $outfile 286 1.1 knakahar $DEBUG && cat $outfile 287 1.1 knakahar atf_check -s exit:0 \ 288 1.1 knakahar -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 289 1.1 knakahar cat $outfile 290 1.1 knakahar atf_check -s exit:0 \ 291 1.1 knakahar -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 292 1.1 knakahar cat $outfile 293 1.1 knakahar } 294 1.1 knakahar 295 1.1 knakahar test_ipsecif_natt_transport() 296 1.1 knakahar { 297 1.1 knakahar local algo=$1 298 1.2 knakahar local ip_local_a=192.168.0.2 299 1.2 knakahar local ip_local_b=192.168.0.3 300 1.1 knakahar local ip_nat_local=192.168.0.1 301 1.1 knakahar local ip_nat_remote=10.0.0.1 302 1.1 knakahar local ip_remote=10.0.0.2 303 1.1 knakahar local subnet_local=192.168.0.0 304 1.2 knakahar local ip_local_ipsecif_a=172.16.100.1 305 1.2 knakahar local ip_local_ipsecif_b=172.16.110.1 306 1.2 knakahar local ip_remote_ipsecif_a=172.16.10.1 307 1.2 knakahar local ip_remote_ipsecif_b=172.16.11.1 308 1.1 knakahar 309 1.1 knakahar local npffile=./npf.conf 310 1.1 knakahar local file_send=./file.send 311 1.1 knakahar local algo_args="$(generate_algo_args esp-udp $algo)" 312 1.2 knakahar local pid= port_a= port_b= 313 1.1 knakahar 314 1.1 knakahar setup_servers 315 1.1 knakahar 316 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_A 317 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 318 1.2 knakahar atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_a/24 319 1.2 knakahar atf_check -s exit:0 -o ignore \ 320 1.2 knakahar rump.route -n add default $ip_nat_local 321 1.2 knakahar 322 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_B 323 1.2 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 324 1.2 knakahar atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_b/24 325 1.1 knakahar atf_check -s exit:0 -o ignore \ 326 1.1 knakahar rump.route -n add default $ip_nat_local 327 1.1 knakahar 328 1.1 knakahar export RUMP_SERVER=$SOCK_NAT 329 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 330 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 331 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 332 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 333 1.1 knakahar 334 1.1 knakahar export RUMP_SERVER=$SOCK_REMOTE 335 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 336 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 337 1.1 knakahar atf_check -s exit:0 -o ignore \ 338 1.1 knakahar rump.route -n add -net $subnet_local $ip_nat_remote 339 1.1 knakahar 340 1.1 knakahar # There is no NAT/NAPT. ping should just work. 341 1.2 knakahar check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_local_a $ip_remote 342 1.2 knakahar check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_local_b $ip_remote 343 1.1 knakahar 344 1.1 knakahar # Setup an NAPT with npf 345 1.1 knakahar build_npf_conf $npffile "$subnet_local/24" 346 1.1 knakahar 347 1.1 knakahar export RUMP_SERVER=$SOCK_NAT 348 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 349 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl start 350 1.1 knakahar $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 351 1.1 knakahar 352 1.1 knakahar # There is an NAPT. ping works but source IP/port are translated 353 1.2 knakahar check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_nat_remote $ip_remote 354 1.2 knakahar check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_nat_remote $ip_remote 355 1.1 knakahar 356 1.1 knakahar # Try TCP communications just in case 357 1.2 knakahar check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 358 1.2 knakahar $ip_remote $ip_nat_remote $ip_remote 359 1.2 knakahar check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ 360 1.1 knakahar $ip_remote $ip_nat_remote $ip_remote 361 1.1 knakahar 362 1.1 knakahar # Launch a nc server as a terminator of NAT-T on outside the NAPT 363 1.1 knakahar start_natt_terminator $SOCK_REMOTE $ip_remote 4500 364 1.1 knakahar echo zzz > $file_send 365 1.1 knakahar 366 1.2 knakahar #################### Test for primary ipsecif(4) NAT-T. 367 1.2 knakahar 368 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_A 369 1.2 knakahar # Send a UDP packet to the remote server at port 4500 from the local 370 1.2 knakahar # host of port 4500. This makes a mapping on the NAPT between them 371 1.2 knakahar atf_check -s exit:0 $HIJACKING \ 372 1.2 knakahar nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send 373 1.2 knakahar # Launch a nc server as a terminator of NAT-T on inside the NAPT, 374 1.2 knakahar # taking over port 4500 of the local host. 375 1.2 knakahar start_natt_terminator $SOCK_LOCAL_A $ip_local_a 4500 376 1.2 knakahar 377 1.2 knakahar # We need to keep the servers for NAT-T 378 1.2 knakahar 379 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_A 380 1.2 knakahar $DEBUG && rump.netstat -na -f inet 381 1.2 knakahar export RUMP_SERVER=$SOCK_REMOTE 382 1.2 knakahar $DEBUG && rump.netstat -na -f inet 383 1.2 knakahar 384 1.2 knakahar # Get a translated port number from 4500 on the NAPT 385 1.2 knakahar export RUMP_SERVER=$SOCK_NAT 386 1.2 knakahar $DEBUG && $HIJACKING_NPF npfctl list 387 1.2 knakahar # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 388 1.5 knakahar port_a=$(get_natt_port $ip_local_a $ip_nat_remote) 389 1.2 knakahar $DEBUG && echo port_a=$port_a 390 1.2 knakahar if [ -z "$port_a" ]; then 391 1.4 martin atf_fail "Failed to get a translated port on NAPT" 392 1.2 knakahar fi 393 1.2 knakahar 394 1.2 knakahar # Setup ESP-UDP ipsecif(4) for first client under NAPT 395 1.2 knakahar setup_ipsecif $SOCK_LOCAL_A 0 $ip_local_a 4500 $ip_remote 4500 \ 396 1.2 knakahar $ip_local_ipsecif_a $ip_remote_ipsecif_a 397 1.2 knakahar setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port_a \ 398 1.2 knakahar $ip_remote_ipsecif_a $ip_local_ipsecif_a 399 1.2 knakahar 400 1.2 knakahar add_sa $SOCK_LOCAL_A "esp-udp" "$algo_args" \ 401 1.2 knakahar $ip_local_a 4500 $ip_remote 4500 10000 10001 402 1.2 knakahar add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ 403 1.2 knakahar $ip_remote 4500 $ip_nat_remote $port_a 10001 10000 404 1.2 knakahar 405 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_A 406 1.2 knakahar # ping should still work 407 1.2 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 408 1.1 knakahar 409 1.2 knakahar # Try ping over the ESP-UDP ipsecif(4) 410 1.2 knakahar check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 411 1.2 knakahar $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 412 1.2 knakahar 413 1.2 knakahar # Try TCP communications over the ESP-UDP ipsecif(4) 414 1.2 knakahar check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 415 1.2 knakahar $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 416 1.2 knakahar 417 1.2 knakahar #################### Test for secondary ipsecif(4) NAT-T. 418 1.2 knakahar 419 1.2 knakahar export RUMP_SERVER=$SOCK_REMOTE 420 1.2 knakahar $HIJACKING setkey -D 421 1.2 knakahar $HIJACKING setkey -DP 422 1.2 knakahar 423 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_B 424 1.1 knakahar # Send a UDP packet to the remote server at port 4500 from the local 425 1.1 knakahar # host of port 4500. This makes a mapping on the NAPT between them 426 1.1 knakahar atf_check -s exit:0 $HIJACKING \ 427 1.1 knakahar nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send 428 1.1 knakahar # Launch a nc server as a terminator of NAT-T on inside the NAPT, 429 1.1 knakahar # taking over port 4500 of the local host. 430 1.2 knakahar start_natt_terminator $SOCK_LOCAL_B $ip_local_b 4500 431 1.1 knakahar 432 1.1 knakahar # We need to keep the servers for NAT-T 433 1.1 knakahar 434 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_B 435 1.1 knakahar $DEBUG && rump.netstat -na -f inet 436 1.1 knakahar export RUMP_SERVER=$SOCK_REMOTE 437 1.1 knakahar $DEBUG && rump.netstat -na -f inet 438 1.1 knakahar 439 1.1 knakahar # Get a translated port number from 4500 on the NAPT 440 1.1 knakahar export RUMP_SERVER=$SOCK_NAT 441 1.1 knakahar $DEBUG && $HIJACKING_NPF npfctl list 442 1.1 knakahar # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 443 1.5 knakahar port_b=$(get_natt_port $ip_local_b $ip_nat_remote) 444 1.2 knakahar $DEBUG && echo port_b=$port_b 445 1.2 knakahar if [ -z "$port_b" ]; then 446 1.4 martin atf_fail "Failed to get a translated port on NAPT" 447 1.1 knakahar fi 448 1.1 knakahar 449 1.1 knakahar # Setup ESP-UDP ipsecif(4) for first client under NAPT 450 1.2 knakahar setup_ipsecif $SOCK_LOCAL_B 0 $ip_local_b 4500 $ip_remote 4500 \ 451 1.2 knakahar $ip_local_ipsecif_b $ip_remote_ipsecif_b 452 1.2 knakahar setup_ipsecif $SOCK_REMOTE 1 $ip_remote 4500 $ip_nat_remote $port_b \ 453 1.2 knakahar $ip_remote_ipsecif_b $ip_local_ipsecif_b 454 1.2 knakahar 455 1.2 knakahar check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 456 1.2 knakahar $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 457 1.1 knakahar 458 1.2 knakahar add_sa $SOCK_LOCAL_B "esp-udp" "$algo_args" \ 459 1.2 knakahar $ip_local_b 4500 $ip_remote 4500 11000 11001 460 1.1 knakahar add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ 461 1.2 knakahar $ip_remote 4500 $ip_nat_remote $port_b 11001 11000 462 1.1 knakahar 463 1.2 knakahar export RUMP_SERVER=$SOCK_LOCAL_B 464 1.1 knakahar # ping should still work 465 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 466 1.1 knakahar 467 1.1 knakahar # Try ping over the ESP-UDP ipsecif(4) 468 1.2 knakahar check_ping_packets_over_ipsecif $SOCK_LOCAL_B $BUS_NAT \ 469 1.2 knakahar $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 470 1.2 knakahar 471 1.1 knakahar 472 1.1 knakahar # Try TCP communications over the ESP-UDP ipsecif(4) 473 1.2 knakahar check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ 474 1.2 knakahar $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 475 1.2 knakahar 476 1.2 knakahar # Try ping over the ESP-UDP ipsecif(4) for primary again 477 1.2 knakahar check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 478 1.2 knakahar $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 479 1.2 knakahar 480 1.2 knakahar # Try TCP communications over the ESP-UDP ipsecif(4) for primary again 481 1.2 knakahar check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 482 1.2 knakahar $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 483 1.1 knakahar 484 1.1 knakahar # Kill the NAT-T terminator 485 1.1 knakahar stop_natt_terminators 486 1.1 knakahar } 487 1.1 knakahar 488 1.1 knakahar add_test_ipsecif_natt_transport() 489 1.1 knakahar { 490 1.1 knakahar local algo=$1 491 1.1 knakahar local _algo=$(echo $algo | sed 's/-//g') 492 1.1 knakahar local name= desc= 493 1.1 knakahar 494 1.1 knakahar desc="Test ipsecif(4) NAT-T ($algo)" 495 1.1 knakahar name="ipsecif_natt_transport_${_algo}" 496 1.1 knakahar 497 1.1 knakahar atf_test_case ${name} cleanup 498 1.1 knakahar eval " 499 1.1 knakahar ${name}_head() { 500 1.1 knakahar atf_set descr \"$desc\" 501 1.1 knakahar atf_set require.progs rump_server setkey nc 502 1.1 knakahar } 503 1.1 knakahar ${name}_body() { 504 1.1 knakahar test_ipsecif_natt_transport $algo 505 1.1 knakahar rump_server_destroy_ifaces 506 1.1 knakahar } 507 1.1 knakahar ${name}_cleanup() { 508 1.1 knakahar stop_nc_server 509 1.1 knakahar stop_natt_terminators 510 1.1 knakahar \$DEBUG && dump 511 1.1 knakahar cleanup 512 1.1 knakahar } 513 1.1 knakahar " 514 1.1 knakahar atf_add_test_case ${name} 515 1.1 knakahar } 516 1.1 knakahar 517 1.1 knakahar atf_init_test_cases() 518 1.1 knakahar { 519 1.1 knakahar local algo= 520 1.1 knakahar 521 1.1 knakahar for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 522 1.1 knakahar add_test_ipsecif_natt_transport $algo 523 1.1 knakahar done 524 1.1 knakahar } 525
Indexes created Sat Sep 20 22:09:52 GMT 2025