1 1.11 knakahar # $NetBSD: t_ipsec_tunnel.sh,v 1.11 2023/06/19 08:28:09 knakahara Exp $ 2 1.1 ozaki # 3 1.1 ozaki # Copyright (c) 2017 Internet Initiative Japan Inc. 4 1.1 ozaki # All rights reserved. 5 1.1 ozaki # 6 1.1 ozaki # Redistribution and use in source and binary forms, with or without 7 1.1 ozaki # modification, are permitted provided that the following conditions 8 1.1 ozaki # are met: 9 1.1 ozaki # 1. Redistributions of source code must retain the above copyright 10 1.1 ozaki # notice, this list of conditions and the following disclaimer. 11 1.1 ozaki # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 ozaki # notice, this list of conditions and the following disclaimer in the 13 1.1 ozaki # documentation and/or other materials provided with the distribution. 14 1.1 ozaki # 15 1.1 ozaki # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 ozaki # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 ozaki # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 ozaki # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 ozaki # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 ozaki # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 ozaki # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 ozaki # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 ozaki # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 ozaki # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 ozaki # POSSIBILITY OF SUCH DAMAGE. 26 1.1 ozaki # 27 1.1 ozaki 28 1.1 ozaki SOCK_LOCAL=unix://ipsec_local 29 1.1 ozaki SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local 30 1.1 ozaki SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote 31 1.1 ozaki SOCK_REMOTE=unix://ipsec_remote 32 1.1 ozaki BUS_LOCAL=./bus_ipsec_local 33 1.1 ozaki BUS_TUNNEL=./bus_ipsec_tunnel 34 1.1 ozaki BUS_REMOTE=./bus_ipsec_remote 35 1.1 ozaki 36 1.1 ozaki DEBUG=${DEBUG:-false} 37 1.1 ozaki 38 1.6 ozaki setup_servers() 39 1.6 ozaki { 40 1.6 ozaki 41 1.6 ozaki # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn 42 1.6 ozaki rump_server_crypto_start $SOCK_LOCAL netinet6 43 1.6 ozaki rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 44 1.6 ozaki rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 45 1.6 ozaki rump_server_crypto_start $SOCK_REMOTE netinet6 46 1.6 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 47 1.6 ozaki rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL 48 1.6 ozaki rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL 49 1.6 ozaki rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE 50 1.6 ozaki rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL 51 1.6 ozaki rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 52 1.6 ozaki } 53 1.6 ozaki 54 1.6 ozaki check_tunnel_packets() 55 1.6 ozaki { 56 1.6 ozaki local outfile=$1 57 1.6 ozaki local src=$2 58 1.6 ozaki local dst=$3 59 1.6 ozaki local proto=$4 60 1.6 ozaki 61 1.6 ozaki atf_check -s exit:0 -o match:"$src > $dst: $proto" cat $outfile 62 1.6 ozaki atf_check -s exit:0 -o match:"$dst > $src: $proto" cat $outfile 63 1.6 ozaki } 64 1.6 ozaki 65 1.1 ozaki test_ipsec4_tunnel() 66 1.1 ozaki { 67 1.1 ozaki local proto=$1 68 1.1 ozaki local algo=$2 69 1.1 ozaki local ip_local=10.0.1.2 70 1.1 ozaki local ip_gw_local=10.0.1.1 71 1.1 ozaki local ip_gw_local_tunnel=20.0.0.1 72 1.1 ozaki local ip_gw_remote_tunnel=20.0.0.2 73 1.1 ozaki local ip_gw_remote=10.0.2.1 74 1.1 ozaki local ip_remote=10.0.2.2 75 1.1 ozaki local subnet_local=10.0.1.0 76 1.1 ozaki local subnet_remote=10.0.2.0 77 1.1 ozaki local tmpfile=./tmp 78 1.1 ozaki local outfile=./out 79 1.8 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 80 1.8 ozaki local algo_args="$(generate_algo_args $proto $algo)" 81 1.1 ozaki 82 1.6 ozaki setup_servers 83 1.1 ozaki 84 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 85 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 86 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 87 1.1 ozaki atf_check -s exit:0 -o ignore \ 88 1.1 ozaki rump.route -n add -net $subnet_remote $ip_gw_local 89 1.1 ozaki 90 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 91 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 92 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 93 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24 94 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 95 1.1 ozaki atf_check -s exit:0 -o ignore \ 96 1.1 ozaki rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel 97 1.1 ozaki 98 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 99 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 100 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 101 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24 102 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 103 1.1 ozaki atf_check -s exit:0 -o ignore \ 104 1.1 ozaki rump.route -n add -net $subnet_local $ip_gw_local_tunnel 105 1.1 ozaki 106 1.1 ozaki export RUMP_SERVER=$SOCK_REMOTE 107 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 108 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 109 1.1 ozaki atf_check -s exit:0 -o ignore \ 110 1.1 ozaki rump.route -n add -net $subnet_local $ip_gw_remote 111 1.1 ozaki 112 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 113 1.1 ozaki 114 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 115 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 116 1.1 ozaki 117 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 118 1.1 ozaki atf_check -s exit:0 \ 119 1.1 ozaki -o match:"$ip_local > $ip_remote: ICMP echo request" \ 120 1.1 ozaki cat $outfile 121 1.1 ozaki atf_check -s exit:0 \ 122 1.1 ozaki -o match:"$ip_remote > $ip_local: ICMP echo reply" \ 123 1.1 ozaki cat $outfile 124 1.1 ozaki 125 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 126 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 127 1.1 ozaki cat > $tmpfile <<-EOF 128 1.8 ozaki add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 129 1.8 ozaki add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 130 1.1 ozaki spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec 131 1.1 ozaki $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 132 1.1 ozaki spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec 133 1.1 ozaki $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 134 1.1 ozaki EOF 135 1.1 ozaki $DEBUG && cat $tmpfile 136 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 137 1.5 ozaki check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 138 1.5 ozaki $ip_gw_remote_tunnel 139 1.1 ozaki 140 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 141 1.1 ozaki cat > $tmpfile <<-EOF 142 1.8 ozaki add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 143 1.8 ozaki add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 144 1.1 ozaki spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec 145 1.1 ozaki $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 146 1.1 ozaki spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec 147 1.1 ozaki $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 148 1.1 ozaki EOF 149 1.1 ozaki $DEBUG && cat $tmpfile 150 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 151 1.5 ozaki check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 152 1.5 ozaki $ip_gw_remote_tunnel 153 1.1 ozaki 154 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 155 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 156 1.1 ozaki 157 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 158 1.6 ozaki check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ 159 1.6 ozaki $proto_cap 160 1.4 ozaki 161 1.4 ozaki test_flush_entries $SOCK_TUNNEL_LOCAL 162 1.4 ozaki test_flush_entries $SOCK_TUNNEL_REMOTE 163 1.1 ozaki } 164 1.1 ozaki 165 1.1 ozaki test_ipsec6_tunnel() 166 1.1 ozaki { 167 1.1 ozaki local proto=$1 168 1.1 ozaki local algo=$2 169 1.1 ozaki local ip_local=fd00:1::2 170 1.1 ozaki local ip_gw_local=fd00:1::1 171 1.1 ozaki local ip_gw_local_tunnel=fc00::1 172 1.1 ozaki local ip_gw_remote_tunnel=fc00::2 173 1.1 ozaki local ip_gw_remote=fd00:2::1 174 1.1 ozaki local ip_remote=fd00:2::2 175 1.1 ozaki local subnet_local=fd00:1:: 176 1.1 ozaki local subnet_remote=fd00:2:: 177 1.1 ozaki local tmpfile=./tmp 178 1.1 ozaki local outfile=./out 179 1.8 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 180 1.8 ozaki local algo_args="$(generate_algo_args $proto $algo)" 181 1.1 ozaki 182 1.6 ozaki setup_servers 183 1.1 ozaki 184 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 185 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 186 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 187 1.1 ozaki atf_check -s exit:0 -o ignore \ 188 1.1 ozaki rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local 189 1.1 ozaki 190 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 191 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 192 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64 193 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64 194 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 195 1.1 ozaki atf_check -s exit:0 -o ignore \ 196 1.1 ozaki rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel 197 1.1 ozaki 198 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 199 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 200 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64 201 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64 202 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 203 1.1 ozaki atf_check -s exit:0 -o ignore \ 204 1.1 ozaki rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel 205 1.1 ozaki 206 1.1 ozaki export RUMP_SERVER=$SOCK_REMOTE 207 1.7 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 208 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote 209 1.1 ozaki atf_check -s exit:0 -o ignore \ 210 1.1 ozaki rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote 211 1.1 ozaki 212 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 213 1.1 ozaki 214 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 215 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 216 1.1 ozaki 217 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 218 1.1 ozaki atf_check -s exit:0 \ 219 1.1 ozaki -o match:"$ip_local > $ip_remote: ICMP6, echo request" \ 220 1.1 ozaki cat $outfile 221 1.1 ozaki atf_check -s exit:0 \ 222 1.1 ozaki -o match:"$ip_remote > $ip_local: ICMP6, echo reply" \ 223 1.1 ozaki cat $outfile 224 1.1 ozaki 225 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 226 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 227 1.1 ozaki cat > $tmpfile <<-EOF 228 1.8 ozaki add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 229 1.8 ozaki add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 230 1.1 ozaki spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec 231 1.1 ozaki $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 232 1.1 ozaki spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec 233 1.1 ozaki $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 234 1.1 ozaki EOF 235 1.1 ozaki $DEBUG && cat $tmpfile 236 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 237 1.5 ozaki check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 238 1.5 ozaki $ip_gw_remote_tunnel 239 1.1 ozaki 240 1.1 ozaki export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 241 1.1 ozaki cat > $tmpfile <<-EOF 242 1.8 ozaki add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 243 1.8 ozaki add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 244 1.1 ozaki spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec 245 1.1 ozaki $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 246 1.1 ozaki spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec 247 1.1 ozaki $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 248 1.1 ozaki EOF 249 1.1 ozaki $DEBUG && cat $tmpfile 250 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 251 1.5 ozaki check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 252 1.5 ozaki $ip_gw_remote_tunnel 253 1.1 ozaki 254 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 255 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 256 1.1 ozaki 257 1.1 ozaki extract_new_packets $BUS_TUNNEL > $outfile 258 1.6 ozaki check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ 259 1.6 ozaki $proto_cap 260 1.4 ozaki 261 1.4 ozaki test_flush_entries $SOCK_TUNNEL_LOCAL 262 1.4 ozaki test_flush_entries $SOCK_TUNNEL_REMOTE 263 1.1 ozaki } 264 1.1 ozaki 265 1.1 ozaki test_tunnel_common() 266 1.1 ozaki { 267 1.1 ozaki local ipproto=$1 268 1.1 ozaki local proto=$2 269 1.1 ozaki local algo=$3 270 1.1 ozaki 271 1.1 ozaki if [ $ipproto = ipv4 ]; then 272 1.1 ozaki test_ipsec4_tunnel $proto $algo 273 1.1 ozaki else 274 1.1 ozaki test_ipsec6_tunnel $proto $algo 275 1.1 ozaki fi 276 1.1 ozaki } 277 1.1 ozaki 278 1.1 ozaki add_test_tunnel_mode() 279 1.1 ozaki { 280 1.1 ozaki local ipproto=$1 281 1.1 ozaki local proto=$2 282 1.1 ozaki local algo=$3 283 1.1 ozaki local _algo=$(echo $algo | sed 's/-//g') 284 1.3 ozaki local name= desc= 285 1.1 ozaki 286 1.1 ozaki name="ipsec_tunnel_${ipproto}_${proto}_${_algo}" 287 1.1 ozaki desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo)" 288 1.1 ozaki 289 1.1 ozaki atf_test_case ${name} cleanup 290 1.9 ozaki eval " 291 1.9 ozaki ${name}_head() { 292 1.9 ozaki atf_set descr \"$desc\" 293 1.9 ozaki atf_set require.progs rump_server setkey 294 1.9 ozaki } 295 1.9 ozaki ${name}_body() { 296 1.9 ozaki test_tunnel_common $ipproto $proto $algo 297 1.9 ozaki rump_server_destroy_ifaces 298 1.9 ozaki } 299 1.9 ozaki ${name}_cleanup() { 300 1.9 ozaki \$DEBUG && dump 301 1.9 ozaki cleanup 302 1.9 ozaki } 303 1.1 ozaki " 304 1.1 ozaki atf_add_test_case ${name} 305 1.1 ozaki } 306 1.1 ozaki 307 1.1 ozaki atf_init_test_cases() 308 1.1 ozaki { 309 1.1 ozaki local algo= 310 1.1 ozaki 311 1.11 knakahar for algo in $ESP_ENCRYPTION_ALGORITHMS; do 312 1.1 ozaki add_test_tunnel_mode ipv4 esp $algo 313 1.1 ozaki add_test_tunnel_mode ipv6 esp $algo 314 1.1 ozaki done 315 1.1 ozaki 316 1.11 knakahar for algo in $AH_AUTHENTICATION_ALGORITHMS; do 317 1.1 ozaki add_test_tunnel_mode ipv4 ah $algo 318 1.3 ozaki add_test_tunnel_mode ipv6 ah $algo 319 1.1 ozaki done 320 1.1 ozaki } 321
Indexes created Tue Sep 23 02:09:52 GMT 2025