t_ipsec_l2tp.sh revision 1.1
1 # $NetBSD: t_ipsec_l2tp.sh,v 1.1 2017/04/27 06:53:44 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_l2tp_local 29 SOCK_TUN_LOCAL=unix://ipsec_l2tp_tunel_local 30 SOCK_TUN_REMOTE=unix://ipsec_l2tp_tunnel_remote 31 SOCK_REMOTE=unix://ipsec_l2tp_remote 32 BUS_LOCAL=./bus_ipsec_local 33 BUS_TUNNEL=./bus_ipsec_tunnel 34 BUS_REMOTE=./bus_ipsec_remote 35 36 DEBUG=${DEBUG:-false} 37 38 make_l2tp_pktstr() 39 { 40 local src=$1 41 local dst=$2 42 local proto=$3 43 local ipproto=$4 44 local proto_cap= proto_str= 45 46 if [ $proto = esp ]; then 47 proto_cap=ESP 48 else 49 proto_cap=AH 50 if [ $ipproto = ipv4 ]; then 51 proto_str="ip-proto-115 102 \(ipip-proto-4\)" 52 else 53 proto_str="ip-proto-115" 54 fi 55 fi 56 57 echo "$src > $dst: $proto_cap.+$proto_str" 58 } 59 60 test_ipsec4_l2tp() 61 { 62 local proto=$1 63 local algo=$2 64 local ip_local=10.0.0.1 65 local ip_gw_local_tun=20.0.0.1 66 local ip_gw_remote_tun=20.0.0.2 67 local ip_remote=10.0.0.2 68 local subnet_local=20.0.0.0 69 local subnet_remote=20.0.0.0 70 local keylen=$(get_one_valid_keylen $algo) 71 local key=$(generate_key $keylen) 72 local tmpfile=./tmp 73 local outfile=./out 74 local opt= str= 75 76 if [ $proto = esp ]; then 77 opt=-E 78 else 79 opt=-A 80 fi 81 82 # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn 83 rump_server_crypto_start $SOCK_LOCAL 84 rump_server_crypto_start $SOCK_TUN_LOCAL netipsec l2tp bridge 85 rump_server_crypto_start $SOCK_TUN_REMOTE netipsec l2tp bridge 86 rump_server_crypto_start $SOCK_REMOTE 87 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 88 rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL 89 rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL 90 rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE 91 rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL 92 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 93 94 export RUMP_SERVER=$SOCK_LOCAL 95 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 96 97 export RUMP_SERVER=$SOCK_TUN_LOCAL 98 atf_check -s exit:0 rump.ifconfig shmif0 up 99 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tun/24 100 atf_check -s exit:0 rump.ifconfig l2tp0 create 101 atf_check -s exit:0 rump.ifconfig l2tp0 \ 102 tunnel $ip_gw_local_tun $ip_gw_remote_tun 103 atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321 104 atf_check -s exit:0 rump.ifconfig l2tp0 up 105 atf_check -s exit:0 rump.ifconfig bridge0 create 106 atf_check -s exit:0 rump.ifconfig bridge0 up 107 atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0 108 atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0 109 110 export RUMP_SERVER=$SOCK_TUN_REMOTE 111 atf_check -s exit:0 rump.ifconfig shmif0 up 112 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tun/24 113 atf_check -s exit:0 rump.ifconfig l2tp0 create 114 atf_check -s exit:0 rump.ifconfig l2tp0 \ 115 tunnel $ip_gw_remote_tun $ip_gw_local_tun 116 atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234 117 atf_check -s exit:0 rump.ifconfig l2tp0 up 118 atf_check -s exit:0 rump.ifconfig bridge0 create 119 atf_check -s exit:0 rump.ifconfig bridge0 up 120 atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0 121 atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0 122 123 export RUMP_SERVER=$SOCK_REMOTE 124 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 125 # Run ifconfig -w 10 just once for optimization 126 atf_check -s exit:0 rump.ifconfig -w 10 127 128 extract_new_packets $BUS_TUNNEL > $outfile 129 130 export RUMP_SERVER=$SOCK_LOCAL 131 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 132 133 extract_new_packets $BUS_TUNNEL > $outfile 134 atf_check -s exit:0 \ 135 -o match:"$ip_gw_local_tun > $ip_gw_remote_tun: +ip-proto-115" \ 136 cat $outfile 137 atf_check -s exit:0 \ 138 -o match:"$ip_gw_remote_tun > $ip_gw_local_tun: +ip-proto-115" \ 139 cat $outfile 140 141 export RUMP_SERVER=$SOCK_TUN_LOCAL 142 # from https://www.netbsd.org/docs/network/ipsec/ 143 cat > $tmpfile <<-EOF 144 add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key; 145 add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; 146 spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec 147 $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require; 148 spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec 149 $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; 150 EOF 151 $DEBUG && cat $tmpfile 152 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 153 $DEBUG && $HIJACKING setkey -D 154 atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \ 155 $HIJACKING setkey -D 156 atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \ 157 $HIJACKING setkey -D 158 # TODO: more detail checks 159 160 export RUMP_SERVER=$SOCK_TUN_REMOTE 161 cat > $tmpfile <<-EOF 162 add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key; 163 add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; 164 spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec 165 $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; 166 spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec 167 $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require; 168 EOF 169 $DEBUG && cat $tmpfile 170 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 171 $DEBUG && $HIJACKING setkey -D 172 atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \ 173 $HIJACKING setkey -D 174 atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \ 175 $HIJACKING setkey -D 176 # TODO: more detail checks 177 178 export RUMP_SERVER=$SOCK_LOCAL 179 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 180 181 extract_new_packets $BUS_TUNNEL > $outfile 182 str=$(make_l2tp_pktstr $ip_gw_local_tun $ip_gw_remote_tun $proto ipv4) 183 atf_check -s exit:0 -o match:"$str" cat $outfile 184 str=$(make_l2tp_pktstr $ip_gw_remote_tun $ip_gw_local_tun $proto ipv4) 185 atf_check -s exit:0 -o match:"$str" cat $outfile 186 } 187 188 test_ipsec6_l2tp() 189 { 190 local proto=$1 191 local algo=$2 192 local ip_local=fd00::1 193 local ip_gw_local_tun=fc00::1 194 local ip_gw_remote_tun=fc00::2 195 local ip_remote=fd00::2 196 local subnet_local=fc00:: 197 local subnet_remote=fc00:: 198 local keylen=$(get_one_valid_keylen $algo) 199 local key=$(generate_key $keylen) 200 local tmpfile=./tmp 201 local outfile=./out 202 local opt= str= 203 204 if [ $proto = esp ]; then 205 opt=-E 206 else 207 opt=-A 208 fi 209 210 rump_server_crypto_start $SOCK_LOCAL netinet6 211 rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 l2tp bridge 212 rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 l2tp bridge 213 rump_server_crypto_start $SOCK_REMOTE netinet6 214 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 215 rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL 216 rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL 217 rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE 218 rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL 219 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 220 221 export RUMP_SERVER=$SOCK_LOCAL 222 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 223 224 export RUMP_SERVER=$SOCK_TUN_LOCAL 225 atf_check -s exit:0 rump.ifconfig shmif0 up 226 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tun/64 227 atf_check -s exit:0 rump.ifconfig l2tp0 create 228 atf_check -s exit:0 rump.ifconfig l2tp0 \ 229 tunnel $ip_gw_local_tun $ip_gw_remote_tun 230 atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321 231 atf_check -s exit:0 rump.ifconfig l2tp0 up 232 atf_check -s exit:0 rump.ifconfig bridge0 create 233 atf_check -s exit:0 rump.ifconfig bridge0 up 234 atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0 235 atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0 236 237 export RUMP_SERVER=$SOCK_TUN_REMOTE 238 atf_check -s exit:0 rump.ifconfig shmif0 up 239 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tun/64 240 atf_check -s exit:0 rump.ifconfig l2tp0 create 241 atf_check -s exit:0 rump.ifconfig l2tp0 \ 242 tunnel $ip_gw_remote_tun $ip_gw_local_tun 243 atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234 244 atf_check -s exit:0 rump.ifconfig l2tp0 up 245 atf_check -s exit:0 rump.ifconfig bridge0 create 246 atf_check -s exit:0 rump.ifconfig bridge0 up 247 atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0 248 atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0 249 250 export RUMP_SERVER=$SOCK_REMOTE 251 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote 252 # Run ifconfig -w 10 just once for optimization 253 atf_check -s exit:0 rump.ifconfig -w 10 254 255 extract_new_packets $BUS_TUNNEL > $outfile 256 257 export RUMP_SERVER=$SOCK_LOCAL 258 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 259 260 extract_new_packets $BUS_TUNNEL > $outfile 261 atf_check -s exit:0 \ 262 -o match:"$ip_gw_local_tun > $ip_gw_remote_tun: +ip-proto-115" \ 263 cat $outfile 264 atf_check -s exit:0 \ 265 -o match:"$ip_gw_remote_tun > $ip_gw_local_tun: +ip-proto-115" \ 266 cat $outfile 267 268 export RUMP_SERVER=$SOCK_TUN_LOCAL 269 # from https://www.netbsd.org/docs/network/ipsec/ 270 cat > $tmpfile <<-EOF 271 add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key; 272 add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; 273 spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec 274 $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require; 275 spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec 276 $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; 277 EOF 278 $DEBUG && cat $tmpfile 279 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 280 $DEBUG && $HIJACKING setkey -D 281 atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \ 282 $HIJACKING setkey -D 283 atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \ 284 $HIJACKING setkey -D 285 # TODO: more detail checks 286 287 export RUMP_SERVER=$SOCK_TUN_REMOTE 288 cat > $tmpfile <<-EOF 289 add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key; 290 add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; 291 spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec 292 $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; 293 spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec 294 $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require; 295 EOF 296 $DEBUG && cat $tmpfile 297 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 298 $DEBUG && $HIJACKING setkey -D 299 atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \ 300 $HIJACKING setkey -D 301 atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \ 302 $HIJACKING setkey -D 303 # TODO: more detail checks 304 305 export RUMP_SERVER=$SOCK_LOCAL 306 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 307 308 extract_new_packets $BUS_TUNNEL > $outfile 309 str=$(make_l2tp_pktstr $ip_gw_local_tun $ip_gw_remote_tun $proto ipv6) 310 atf_check -s exit:0 -o match:"$str" cat $outfile 311 str=$(make_l2tp_pktstr $ip_gw_remote_tun $ip_gw_local_tun $proto ipv6) 312 atf_check -s exit:0 -o match:"$str" cat $outfile 313 } 314 315 test_ipsec_l2tp_common() 316 { 317 local ipproto=$1 318 local proto=$2 319 local algo=$3 320 321 if [ $ipproto = ipv4 ]; then 322 test_ipsec4_l2tp $proto $algo 323 else 324 test_ipsec6_l2tp $proto $algo 325 fi 326 } 327 328 add_test_ipsec_l2tp() 329 { 330 local ipproto=$1 331 local proto=$2 332 local algo=$3 333 local _algo=$(echo $algo | sed 's/-//g') 334 local name= desc= 335 336 name="ipsec_l2tp_${ipproto}_${proto}_${_algo}" 337 desc="Tests of IPsec ($ipproto) tunnel mode (l2tp) with $proto ($algo)" 338 339 atf_test_case ${name} cleanup 340 eval " \ 341 ${name}_head() { \ 342 atf_set \"descr\" \"$desc\"; \ 343 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 344 }; \ 345 ${name}_body() { \ 346 test_ipsec_l2tp_common $ipproto $proto $algo; \ 347 rump_server_destroy_ifaces; \ 348 }; \ 349 ${name}_cleanup() { \ 350 $DEBUG && dump; \ 351 cleanup; \ 352 } \ 353 " 354 atf_add_test_case ${name} 355 } 356 357 atf_init_test_cases() 358 { 359 local algo= 360 361 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 362 add_test_ipsec_l2tp ipv4 esp $algo 363 add_test_ipsec_l2tp ipv6 esp $algo 364 done 365 366 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 367 add_test_ipsec_l2tp ipv4 ah $algo 368 add_test_ipsec_l2tp ipv6 ah $algo 369 done 370 } 371
Indexes created Tue Sep 30 20:09:53 GMT 2025