t_ipsec_tunnel_odd.sh revision 1.1.2.2
1 # $NetBSD: t_ipsec_tunnel_odd.sh,v 1.1.2.2 2017/05/11 02:58:42 pgoyette Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local 30 SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote 31 SOCK_REMOTE=unix://ipsec_remote 32 BUS_LOCAL=./bus_ipsec_local 33 BUS_TUNNEL=./bus_ipsec_tunnel 34 BUS_REMOTE=./bus_ipsec_remote 35 36 DEBUG=${DEBUG:-false} 37 38 setup_servers() 39 { 40 41 # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn 42 rump_server_crypto_start $SOCK_LOCAL netinet6 43 rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 44 rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 45 rump_server_crypto_start $SOCK_REMOTE netinet6 46 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 47 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL 48 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL 49 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE 50 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL 51 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 52 } 53 54 check_tunnel_packets() 55 { 56 local outfile=$1 57 local src=$2 58 local dst=$3 59 local proto=$4 60 61 atf_check -s exit:0 -o match:"$src > $dst: $proto" cat $outfile 62 atf_check -s exit:0 -o match:"$dst > $src: $proto" cat $outfile 63 } 64 65 test_ipsec46_tunnel() 66 { 67 local proto=$1 68 local algo=$2 69 local ip_local=10.0.1.2 70 local ip_gw_local=10.0.1.1 71 local ip_gw_local_tunnel=20.0.0.1 72 local ip_gw_remote_tunnel=20.0.0.2 73 local ip6_gw_local_tunnel=fc00::1 74 local ip6_gw_remote_tunnel=fc00::2 75 local ip_gw_remote=10.0.2.1 76 local ip_remote=10.0.2.2 77 local subnet_local=10.0.1.0 78 local subnet_remote=10.0.2.0 79 local keylen=$(get_one_valid_keylen $algo) 80 local key=$(generate_key $keylen) 81 local tmpfile=./tmp 82 local outfile=./out 83 local opt= proto_cap= 84 85 if [ $proto = esp ]; then 86 opt=-E 87 proto_cap=ESP 88 else 89 opt=-A 90 proto_cap=AH 91 fi 92 93 setup_servers 94 95 export RUMP_SERVER=$SOCK_LOCAL 96 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 97 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 98 atf_check -s exit:0 -o ignore \ 99 rump.route -n add -net $subnet_remote $ip_gw_local 100 101 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 102 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 103 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 104 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 105 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24 106 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip6_gw_local_tunnel/24 107 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 108 atf_check -s exit:0 -o ignore \ 109 rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel 110 111 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 112 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 113 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 114 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 115 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24 116 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip6_gw_remote_tunnel/24 117 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 118 atf_check -s exit:0 -o ignore \ 119 rump.route -n add -net $subnet_local $ip_gw_local_tunnel 120 121 export RUMP_SERVER=$SOCK_REMOTE 122 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 123 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 124 atf_check -s exit:0 -o ignore \ 125 rump.route -n add -net $subnet_local $ip_gw_remote 126 127 extract_new_packets $BUS_TUNNEL > $outfile 128 129 export RUMP_SERVER=$SOCK_LOCAL 130 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 131 132 extract_new_packets $BUS_TUNNEL > $outfile 133 atf_check -s exit:0 \ 134 -o match:"$ip_local > $ip_remote: ICMP echo request" \ 135 cat $outfile 136 atf_check -s exit:0 \ 137 -o match:"$ip_remote > $ip_local: ICMP echo reply" \ 138 cat $outfile 139 140 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 141 # from https://www.netbsd.org/docs/network/ipsec/ 142 cat > $tmpfile <<-EOF 143 add $ip6_gw_local_tunnel $ip6_gw_remote_tunnel $proto 10000 $opt $algo $key; 144 add $ip6_gw_remote_tunnel $ip6_gw_local_tunnel $proto 10001 $opt $algo $key; 145 spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec 146 $proto/tunnel/$ip6_gw_local_tunnel-$ip6_gw_remote_tunnel/require; 147 spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec 148 $proto/tunnel/$ip6_gw_remote_tunnel-$ip6_gw_local_tunnel/require; 149 EOF 150 $DEBUG && cat $tmpfile 151 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 152 check_sa_entries $SOCK_TUNNEL_LOCAL $ip6_gw_local_tunnel \ 153 $ip6_gw_remote_tunnel 154 155 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 156 cat > $tmpfile <<-EOF 157 add $ip6_gw_local_tunnel $ip6_gw_remote_tunnel $proto 10000 $opt $algo $key; 158 add $ip6_gw_remote_tunnel $ip6_gw_local_tunnel $proto 10001 $opt $algo $key; 159 spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec 160 $proto/tunnel/$ip6_gw_remote_tunnel-$ip6_gw_local_tunnel/require; 161 spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec 162 $proto/tunnel/$ip6_gw_local_tunnel-$ip6_gw_remote_tunnel/require; 163 EOF 164 $DEBUG && cat $tmpfile 165 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 166 check_sa_entries $SOCK_TUNNEL_REMOTE $ip6_gw_local_tunnel \ 167 $ip6_gw_remote_tunnel 168 169 export RUMP_SERVER=$SOCK_LOCAL 170 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 171 172 extract_new_packets $BUS_TUNNEL > $outfile 173 check_tunnel_packets $outfile $ip6_gw_local_tunnel $ip6_gw_remote_tunnel \ 174 $proto_cap 175 176 test_flush_entries $SOCK_TUNNEL_LOCAL 177 test_flush_entries $SOCK_TUNNEL_REMOTE 178 } 179 180 test_ipsec64_tunnel() 181 { 182 local proto=$1 183 local algo=$2 184 local ip_local=fd00:1::2 185 local ip_gw_local=fd00:1::1 186 local ip_gw_local_tunnel=fc00::1 187 local ip_gw_remote_tunnel=fc00::2 188 local ip4_gw_local_tunnel=20.0.0.1 189 local ip4_gw_remote_tunnel=20.0.0.2 190 local ip_gw_remote=fd00:2::1 191 local ip_remote=fd00:2::2 192 local subnet_local=fd00:1:: 193 local subnet_remote=fd00:2:: 194 local keylen=$(get_one_valid_keylen $algo) 195 local key=$(generate_key $keylen) 196 local tmpfile=./tmp 197 local outfile=./out 198 local opt= proto_cap= 199 200 if [ $proto = esp ]; then 201 opt=-E 202 proto_cap=ESP 203 else 204 opt=-A 205 proto_cap=AH 206 fi 207 208 setup_servers 209 210 export RUMP_SERVER=$SOCK_LOCAL 211 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 212 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 213 atf_check -s exit:0 -o ignore \ 214 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local 215 216 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 217 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 218 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 219 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64 220 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64 221 atf_check -s exit:0 rump.ifconfig shmif1 $ip4_gw_local_tunnel 222 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 223 atf_check -s exit:0 -o ignore \ 224 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel 225 226 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 227 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 228 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 229 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64 230 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64 231 atf_check -s exit:0 rump.ifconfig shmif1 $ip4_gw_remote_tunnel 232 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 233 atf_check -s exit:0 -o ignore \ 234 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel 235 236 export RUMP_SERVER=$SOCK_REMOTE 237 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 238 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote 239 atf_check -s exit:0 -o ignore \ 240 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote 241 242 extract_new_packets $BUS_TUNNEL > $outfile 243 244 export RUMP_SERVER=$SOCK_LOCAL 245 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 246 247 extract_new_packets $BUS_TUNNEL > $outfile 248 atf_check -s exit:0 \ 249 -o match:"$ip_local > $ip_remote: ICMP6, echo request" \ 250 cat $outfile 251 atf_check -s exit:0 \ 252 -o match:"$ip_remote > $ip_local: ICMP6, echo reply" \ 253 cat $outfile 254 255 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 256 # from https://www.netbsd.org/docs/network/ipsec/ 257 cat > $tmpfile <<-EOF 258 add $ip4_gw_local_tunnel $ip4_gw_remote_tunnel $proto 10000 $opt $algo $key; 259 add $ip4_gw_remote_tunnel $ip4_gw_local_tunnel $proto 10001 $opt $algo $key; 260 spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec 261 $proto/tunnel/$ip4_gw_local_tunnel-$ip4_gw_remote_tunnel/require; 262 spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec 263 $proto/tunnel/$ip4_gw_remote_tunnel-$ip4_gw_local_tunnel/require; 264 EOF 265 $DEBUG && cat $tmpfile 266 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 267 check_sa_entries $SOCK_TUNNEL_LOCAL $ip4_gw_local_tunnel \ 268 $ip4_gw_remote_tunnel 269 270 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 271 cat > $tmpfile <<-EOF 272 add $ip4_gw_local_tunnel $ip4_gw_remote_tunnel $proto 10000 $opt $algo $key; 273 add $ip4_gw_remote_tunnel $ip4_gw_local_tunnel $proto 10001 $opt $algo $key; 274 spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec 275 $proto/tunnel/$ip4_gw_remote_tunnel-$ip4_gw_local_tunnel/require; 276 spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec 277 $proto/tunnel/$ip4_gw_local_tunnel-$ip4_gw_remote_tunnel/require; 278 EOF 279 $DEBUG && cat $tmpfile 280 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 281 check_sa_entries $SOCK_TUNNEL_REMOTE $ip4_gw_local_tunnel \ 282 $ip4_gw_remote_tunnel 283 284 export RUMP_SERVER=$SOCK_LOCAL 285 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 286 287 extract_new_packets $BUS_TUNNEL > $outfile 288 check_tunnel_packets $outfile $ip4_gw_local_tunnel $ip4_gw_remote_tunnel \ 289 $proto_cap 290 291 test_flush_entries $SOCK_TUNNEL_LOCAL 292 test_flush_entries $SOCK_TUNNEL_REMOTE 293 } 294 295 test_tunnel_common() 296 { 297 local ipproto=$1 298 local proto=$2 299 local algo=$3 300 301 if [ $ipproto = v4v6 ]; then 302 test_ipsec46_tunnel $proto $algo 303 else 304 test_ipsec64_tunnel $proto $algo 305 fi 306 } 307 308 add_test_tunnel_mode() 309 { 310 local ipproto=$1 311 local proto=$2 312 local algo=$3 313 local _algo=$(echo $algo | sed 's/-//g') 314 local name= desc= 315 316 name="ipsec_tunnel_${ipproto}_${proto}_${_algo}" 317 if [ $ipproto = v4v6 ]; then 318 desc="Tests of IPsec tunnel mode (IPv4 over IPv6) with $proto ($algo)" 319 else 320 desc="Tests of IPsec tunnel mode (IPv6 over IPv4) with $proto ($algo)" 321 fi 322 323 atf_test_case ${name} cleanup 324 eval " \ 325 ${name}_head() { \ 326 atf_set \"descr\" \"$desc\"; \ 327 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 328 }; \ 329 ${name}_body() { \ 330 test_tunnel_common $ipproto $proto $algo; \ 331 rump_server_destroy_ifaces; \ 332 }; \ 333 ${name}_cleanup() { \ 334 $DEBUG && dump; \ 335 cleanup; \ 336 } \ 337 " 338 atf_add_test_case ${name} 339 } 340 341 atf_init_test_cases() 342 { 343 local algo= 344 345 for algo in $ESP_ENCRYPTION_ALGORITHMS; do 346 add_test_tunnel_mode v4v6 esp $algo 347 add_test_tunnel_mode v6v4 esp $algo 348 done 349 350 for algo in $AH_AUTHENTICATION_ALGORITHMS; do 351 add_test_tunnel_mode v4v6 ah $algo 352 add_test_tunnel_mode v6v4 ah $algo 353 done 354 } 355
Indexes created Mon Oct 20 01:09:56 GMT 2025