t_ipsec_tunnel.sh revision 1.7
1 # $NetBSD: t_ipsec_tunnel.sh,v 1.7 2017/05/10 09:00:29 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local 30 SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote 31 SOCK_REMOTE=unix://ipsec_remote 32 BUS_LOCAL=./bus_ipsec_local 33 BUS_TUNNEL=./bus_ipsec_tunnel 34 BUS_REMOTE=./bus_ipsec_remote 35 36 DEBUG=${DEBUG:-false} 37 38 setup_servers() 39 { 40 41 # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn 42 rump_server_crypto_start $SOCK_LOCAL netinet6 43 rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 44 rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 45 rump_server_crypto_start $SOCK_REMOTE netinet6 46 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 47 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL 48 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL 49 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE 50 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL 51 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 52 } 53 54 check_tunnel_packets() 55 { 56 local outfile=$1 57 local src=$2 58 local dst=$3 59 local proto=$4 60 61 atf_check -s exit:0 -o match:"$src > $dst: $proto" cat $outfile 62 atf_check -s exit:0 -o match:"$dst > $src: $proto" cat $outfile 63 } 64 65 test_ipsec4_tunnel() 66 { 67 local proto=$1 68 local algo=$2 69 local ip_local=10.0.1.2 70 local ip_gw_local=10.0.1.1 71 local ip_gw_local_tunnel=20.0.0.1 72 local ip_gw_remote_tunnel=20.0.0.2 73 local ip_gw_remote=10.0.2.1 74 local ip_remote=10.0.2.2 75 local subnet_local=10.0.1.0 76 local subnet_remote=10.0.2.0 77 local keylen=$(get_one_valid_keylen $algo) 78 local key=$(generate_key $keylen) 79 local tmpfile=./tmp 80 local outfile=./out 81 local opt= proto_cap= 82 83 if [ $proto = esp ]; then 84 opt=-E 85 proto_cap=ESP 86 else 87 opt=-A 88 proto_cap=AH 89 fi 90 91 setup_servers 92 93 export RUMP_SERVER=$SOCK_LOCAL 94 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 95 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 96 atf_check -s exit:0 -o ignore \ 97 rump.route -n add -net $subnet_remote $ip_gw_local 98 99 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 100 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 101 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 102 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 104 atf_check -s exit:0 -o ignore \ 105 rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel 106 107 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 108 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 109 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 110 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24 111 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 112 atf_check -s exit:0 -o ignore \ 113 rump.route -n add -net $subnet_local $ip_gw_local_tunnel 114 115 export RUMP_SERVER=$SOCK_REMOTE 116 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 117 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 118 atf_check -s exit:0 -o ignore \ 119 rump.route -n add -net $subnet_local $ip_gw_remote 120 121 extract_new_packets $BUS_TUNNEL > $outfile 122 123 export RUMP_SERVER=$SOCK_LOCAL 124 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 125 126 extract_new_packets $BUS_TUNNEL > $outfile 127 atf_check -s exit:0 \ 128 -o match:"$ip_local > $ip_remote: ICMP echo request" \ 129 cat $outfile 130 atf_check -s exit:0 \ 131 -o match:"$ip_remote > $ip_local: ICMP echo reply" \ 132 cat $outfile 133 134 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 135 # from https://www.netbsd.org/docs/network/ipsec/ 136 cat > $tmpfile <<-EOF 137 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $opt $algo $key; 138 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $opt $algo $key; 139 spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec 140 $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 141 spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec 142 $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 143 EOF 144 $DEBUG && cat $tmpfile 145 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 146 check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 147 $ip_gw_remote_tunnel 148 149 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 150 cat > $tmpfile <<-EOF 151 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $opt $algo $key; 152 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $opt $algo $key; 153 spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec 154 $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 155 spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec 156 $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 157 EOF 158 $DEBUG && cat $tmpfile 159 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 160 check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 161 $ip_gw_remote_tunnel 162 163 export RUMP_SERVER=$SOCK_LOCAL 164 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 165 166 extract_new_packets $BUS_TUNNEL > $outfile 167 check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ 168 $proto_cap 169 170 test_flush_entries $SOCK_TUNNEL_LOCAL 171 test_flush_entries $SOCK_TUNNEL_REMOTE 172 } 173 174 test_ipsec6_tunnel() 175 { 176 local proto=$1 177 local algo=$2 178 local ip_local=fd00:1::2 179 local ip_gw_local=fd00:1::1 180 local ip_gw_local_tunnel=fc00::1 181 local ip_gw_remote_tunnel=fc00::2 182 local ip_gw_remote=fd00:2::1 183 local ip_remote=fd00:2::2 184 local subnet_local=fd00:1:: 185 local subnet_remote=fd00:2:: 186 local keylen=$(get_one_valid_keylen $algo) 187 local key=$(generate_key $keylen) 188 local tmpfile=./tmp 189 local outfile=./out 190 local opt= proto_cap= 191 192 if [ $proto = esp ]; then 193 opt=-E 194 proto_cap=ESP 195 else 196 opt=-A 197 proto_cap=AH 198 fi 199 200 setup_servers 201 202 export RUMP_SERVER=$SOCK_LOCAL 203 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 204 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 205 atf_check -s exit:0 -o ignore \ 206 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local 207 208 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 209 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 210 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64 211 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64 212 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 213 atf_check -s exit:0 -o ignore \ 214 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel 215 216 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 217 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 218 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64 219 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64 220 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 221 atf_check -s exit:0 -o ignore \ 222 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel 223 224 export RUMP_SERVER=$SOCK_REMOTE 225 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 226 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote 227 atf_check -s exit:0 -o ignore \ 228 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote 229 230 extract_new_packets $BUS_TUNNEL > $outfile 231 232 export RUMP_SERVER=$SOCK_LOCAL 233 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 234 235 extract_new_packets $BUS_TUNNEL > $outfile 236 atf_check -s exit:0 \ 237 -o match:"$ip_local > $ip_remote: ICMP6, echo request" \ 238 cat $outfile 239 atf_check -s exit:0 \ 240 -o match:"$ip_remote > $ip_local: ICMP6, echo reply" \ 241 cat $outfile 242 243 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 244 # from https://www.netbsd.org/docs/network/ipsec/ 245 cat > $tmpfile <<-EOF 246 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $opt $algo $key; 247 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $opt $algo $key; 248 spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec 249 $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 250 spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec 251 $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 252 EOF 253 $DEBUG && cat $tmpfile 254 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 255 check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 256 $ip_gw_remote_tunnel 257 258 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 259 cat > $tmpfile <<-EOF 260 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $opt $algo $key; 261 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $opt $algo $key; 262 spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec 263 $proto/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require; 264 spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec 265 $proto/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require; 266 EOF 267 $DEBUG && cat $tmpfile 268 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 269 check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 270 $ip_gw_remote_tunnel 271 272 export RUMP_SERVER=$SOCK_LOCAL 273 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 274 275 extract_new_packets $BUS_TUNNEL > $outfile 276 check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ 277 $proto_cap 278 279 test_flush_entries $SOCK_TUNNEL_LOCAL 280 test_flush_entries $SOCK_TUNNEL_REMOTE 281 } 282 283 test_tunnel_common() 284 { 285 local ipproto=$1 286 local proto=$2 287 local algo=$3 288 289 if [ $ipproto = ipv4 ]; then 290 test_ipsec4_tunnel $proto $algo 291 else 292 test_ipsec6_tunnel $proto $algo 293 fi 294 } 295 296 add_test_tunnel_mode() 297 { 298 local ipproto=$1 299 local proto=$2 300 local algo=$3 301 local _algo=$(echo $algo | sed 's/-//g') 302 local name= desc= 303 304 name="ipsec_tunnel_${ipproto}_${proto}_${_algo}" 305 desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo)" 306 307 atf_test_case ${name} cleanup 308 eval " \ 309 ${name}_head() { \ 310 atf_set \"descr\" \"$desc\"; \ 311 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 312 }; \ 313 ${name}_body() { \ 314 test_tunnel_common $ipproto $proto $algo; \ 315 rump_server_destroy_ifaces; \ 316 }; \ 317 ${name}_cleanup() { \ 318 $DEBUG && dump; \ 319 cleanup; \ 320 } \ 321 " 322 atf_add_test_case ${name} 323 } 324 325 atf_init_test_cases() 326 { 327 local algo= 328 329 for algo in $ESP_ENCRYPTION_ALGORITHMS; do 330 add_test_tunnel_mode ipv4 esp $algo 331 add_test_tunnel_mode ipv6 esp $algo 332 done 333 334 for algo in $AH_AUTHENTICATION_ALGORITHMS; do 335 add_test_tunnel_mode ipv4 ah $algo 336 add_test_tunnel_mode ipv6 ah $algo 337 done 338 } 339
Indexes created Fri Sep 26 08:10:20 GMT 2025