From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 888BCA04AF; Mon, 4 May 2020 12:07:31 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 4FF9F1D450; Mon, 4 May 2020 12:07:31 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 32A911D446 for ; Mon, 4 May 2020 12:07:28 +0200 (CEST) IronPort-SDR: guNAw42nSlLPvjkZ+v1hDSjgqBLjY0Nk4/zVGfbrPFzeT7Zvi5+oeIcTin80IyOwrSkDx9Z49b VN0HAyUVW6TQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 May 2020 03:07:26 -0700 IronPort-SDR: Uu/yRyIxBY0LJoF4NBq2/7ItYkUyd8AQtwlDfS8oZr0NxKggrKkwkwTT1qZPXjghp5vOO9ZhQR svBRc5ZpUyuA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,351,1583222400"; d="scan'208";a="369049673" Received: from mdrostx-mobl.ger.corp.intel.com ([10.104.121.48]) by fmsmga001.fm.intel.com with ESMTP; 04 May 2020 03:07:22 -0700 From: Mariusz Drost To: radu.nicolau@intel.com, akhil.goyal@nxp.com Cc: dev@dpdk.org, Mariusz Drost Date: Mon, 4 May 2020 12:06:34 +0200 Message-Id: <20200504100634.2062-1-mariuszx.drost@intel.com> X-Mailer: git-send-email 2.23.0.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] examples/ipsec-secgw: tests clean-up X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" As more test cases are defined for execution, test scripts structure needs to be reorganized, so fewer files are needed to describe the test. To achieve that, new environment variables are incorporated into the scripts. Additionally, tests for mixed tunnel protocols are added. Signed-off-by: Mariusz Drost --- doc/guides/sample_app_ug/ipsec_secgw.rst | 47 +++- examples/ipsec-secgw/test/common_defs.sh | 127 ++++++++--- examples/ipsec-secgw/test/linux_test.sh | 141 ++++++++++++ examples/ipsec-secgw/test/linux_test4.sh | 70 ------ examples/ipsec-secgw/test/linux_test6.sh | 71 ------ examples/ipsec-secgw/test/load_env.sh | 121 ++++++++++ examples/ipsec-secgw/test/run_test.sh | 215 +++++++++++++----- .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 17 +- .../test/trs_3descbc_sha1_esn_atom_defs.sh | 6 - .../test/trs_3descbc_sha1_esn_defs.sh | 67 ------ .../test/trs_3descbc_sha1_old_defs.sh | 6 - .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh | 17 +- .../test/trs_aescbc_sha1_esn_atom_defs.sh | 6 - .../test/trs_aescbc_sha1_esn_defs.sh | 67 ------ .../test/trs_aescbc_sha1_old_defs.sh | 6 - .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 17 +- .../test/trs_aesctr_sha1_esn_atom_defs.sh | 6 - .../test/trs_aesctr_sha1_esn_defs.sh | 67 ------ .../test/trs_aesctr_sha1_old_defs.sh | 6 - .../test/trs_aesgcm_common_defs.sh | 8 +- examples/ipsec-secgw/test/trs_aesgcm_defs.sh | 17 +- .../test/trs_aesgcm_esn_atom_defs.sh | 6 - .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh | 67 ------ .../test/trs_aesgcm_inline_crypto_defs.sh | 7 - .../trs_aesgcm_inline_crypto_fallback_defs.sh | 10 - .../test/trs_aesgcm_inline_crypto_old_defs.sh | 6 - .../ipsec-secgw/test/trs_aesgcm_old_defs.sh | 6 - .../test/tun_3descbc_sha1_common_defs.sh | 76 ++++++- .../ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 87 ++++++- .../test/tun_3descbc_sha1_esn_atom_defs.sh | 6 - .../test/tun_3descbc_sha1_esn_defs.sh | 71 ------ .../test/tun_3descbc_sha1_old_defs.sh | 6 - .../test/tun_aescbc_sha1_common_defs.sh | 72 +++++- .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh | 87 ++++++- .../test/tun_aescbc_sha1_esn_atom_defs.sh | 6 - .../test/tun_aescbc_sha1_esn_defs.sh | 71 ------ .../test/tun_aescbc_sha1_old_defs.sh | 6 - .../test/tun_aesctr_sha1_common_defs.sh | 72 +++++- .../ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 87 ++++++- .../test/tun_aesctr_sha1_esn_atom_defs.sh | 6 - .../test/tun_aesctr_sha1_esn_defs.sh | 71 ------ .../test/tun_aesctr_sha1_old_defs.sh | 6 - .../test/tun_aesgcm_common_defs.sh | 66 +++++- examples/ipsec-secgw/test/tun_aesgcm_defs.sh | 87 ++++++- .../test/tun_aesgcm_esn_atom_defs.sh | 6 - .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh | 71 ------ .../test/tun_aesgcm_inline_crypto_defs.sh | 7 - .../tun_aesgcm_inline_crypto_fallback_defs.sh | 10 - .../test/tun_aesgcm_inline_crypto_old_defs.sh | 6 - .../ipsec-secgw/test/tun_aesgcm_old_defs.sh | 6 - 53 files changed, 1189 insertions(+), 1031 deletions(-) create mode 100644 examples/ipsec-secgw/test/linux_test.sh delete mode 100644 examples/ipsec-secgw/test/linux_test4.sh delete mode 100644 examples/ipsec-secgw/test/linux_test6.sh create mode 100644 examples/ipsec-secgw/test/load_env.sh delete mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh delete mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 72f0d0a66..81c5d4360 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -870,10 +870,12 @@ Also the user can optionally setup: * ``CRYPTO_DEV``: crypto device to be used ('-w '). If none specified appropriate vdevs will be created by the script -* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and - specify size of reassembly table (e.g. - ``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for - fallback session tests. +Scripts can be used for multiple test scenarios. To check all available +options run: + +.. code-block:: console + + /bin/bash run_test.sh -h Note that most of the tests require the appropriate crypto PMD/device to be available. @@ -917,17 +919,40 @@ SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(IPsec)-->(NIC1)DUT OS It then tries to perform some data transfer using the scheme described above. -usage +Usage ~~~~~ -In the ipsec-secgw/test directory +In the ipsec-secgw/test directory run + +/bin/bash run_test.sh + +Available options: + +* ``-4`` Perform tests with use of IPv4. One or both [-46] options needs to be + selected. + +* ``-6`` Perform tests with use of IPv6. One or both [-46] options needs to be + selected. + +* ``-m`` Add IPSec tunnel mixed IP version tests - outer IP version different + than inner. Inner IP version will match selected option [-46]. + +* ``-i`` Run tests in inline mode. Regular tests will not be invoked. + +* ``-f`` Run tests for fallback mechanism. Regular tests will not be invoked. + +* ``-l`` Run tests in legacy mode only. It cannot be used with options [-fsc]. + On default library mode is used. -to run one test for IPv4 or IPv6 +* ``-s`` Run all tests with reassembly support. On default only tests for + fallback mechanism use reassembly support. -/bin/bash linux_test(4|6).sh +* ``-c`` Run tests with use of cpu-crypto. For inline tests it will not be + applied. On default lookaside-none is used. -to run all tests for IPv4 or IPv6 +* ``-p`` Perform packet validation tests. Option [-46] is not required. -/bin/bash run_test.sh -4|-6 +* ``-h`` Show usage. -For the list of available modes please refer to run_test.sh. +If is specified, only tests for that mode will be invoked. For the +list of available modes please refer to run_test.sh. \ No newline at end of file diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 35cdd1c55..df680805b 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -1,12 +1,13 @@ #! /bin/bash # SPDX-License-Identifier: BSD-3-Clause -#check ETH_DEV +# check ETH_DEV if [[ -z "${ETH_DEV}" ]]; then echo "ETH_DEV is invalid" exit 127 fi -#check that REMOTE_HOST is reachable + +# check that REMOTE_HOST is reachable ssh ${REMOTE_HOST} echo st=$? if [[ $st -ne 0 ]]; then @@ -14,7 +15,7 @@ if [[ $st -ne 0 ]]; then exit $st fi -#get ether addr of REMOTE_HOST +# get ether addr of REMOTE_HOST REMOTE_MAC=`ssh ${REMOTE_HOST} ip addr show dev ${REMOTE_IFACE}` st=$? REMOTE_MAC=`echo ${REMOTE_MAC} | sed -e 's/^.*ether //' -e 's/ brd.*$//'` @@ -35,6 +36,7 @@ LOCAL_IPV6=fd12:3456:789a:0031:0000:0000:0000:0092 DPDK_PATH=${RTE_SDK:-${PWD}} DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc} +DPDK_VARS="" # by default ipsec-secgw can't deal with multi-segment packets # make sure our local/remote host wouldn't generate fragmented packets @@ -42,40 +44,114 @@ DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc} DEF_MTU_LEN=1400 DEF_PING_LEN=1200 -#upsate operation mode based on env vars values +# set operation mode based on environment variables values select_mode() { - # select sync/async mode - if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${SGW_CMD_XPRM}" ]]; then - echo "${CRYPTO_PRIM_TYPE} is enabled" - SGW_CFG_XPRM="${SGW_CFG_XPRM} ${CRYPTO_PRIM_TYPE}" + echo "Test environment configuration:" + # check which mode to be enabled (library/legacy) + if [[ -n "${SGW_MODE}" && "${SGW_MODE}" == "library" ]]; then + DPDK_MODE="-w 300 -l" + echo "[enabled] library mode" + else + DPDK_MODE="" + echo "[enabled] legacy mode" + fi + + # check if esn is demanded + if [[ -n "${SGW_ESN}" && "${SGW_ESN}" == "esn-on" ]]; then + DPDK_VARS="${DPDK_VARS} -e" + XFRM_ESN="flag esn" + echo "[enabled] extended sequence number" + else + XFRM_ESN="" + echo "[disabled] extended sequence number" + fi + + # check if atom is demanded + if [[ -n "${SGW_ATOM}" && "${SGW_ATOM}" == "atom-on" ]]; then + DPDK_VARS="${DPDK_VARS} -a" + echo "[enabled] sequence number atomic behavior" + else + echo "[disabled] sequence number atomic behavior" + fi + + # check if inline should be enabled + if [[ -n "${SGW_CRYPTO}" && "${SGW_CRYPTO}" == "inline" ]]; then + CRYPTO_DEV='--vdev="crypto_null0"' + SGW_CFG_XPRM_IN="port_id 0 type inline-crypto-offload" + SGW_CFG_XPRM_OUT="port_id 0 type inline-crypto-offload" + echo "[enabled] inline crypto mode" + else + SGW_CFG_XPRM_IN="" + SGW_CFG_XPRM_OUT="" + echo "[disabled] inline crypto mode" fi - # check if fallback type is needed - if [[ "${MODE}" == *fallback* ]]; then - if [[ -n "${CRYPTO_FLBK_TYPE}" ]]; then - echo "${CRYPTO_FLBK_TYPE} is enabled" + # check if fallback should be enabled + if [[ -n "${SGW_CRYPTO_FLBK}" ]] && [[ -n ${SGW_CFG_XPRM_IN} ]] \ + && [[ "${SGW_MODE}" == "library" ]] \ + && [[ "${SGW_CRYPTO_FLBK}" == "cpu-crypto" \ + || "${SGW_CRYPTO_FLBK}" == "lookaside-none" ]]; then + CRYPTO_DEV="" + SGW_CFG_XPRM_IN="${SGW_CFG_XPRM_IN} fallback ${SGW_CRYPTO_FLBK}" + SGW_CFG_XPRM_OUT="" + echo "[enabled] crypto fallback ${SGW_CRYPTO_FLBK} mode" + else + if [[ -n "${SGW_CRYPTO_FLBK}" \ + && "${SGW_CRYPTO}" != "inline" ]]; then + echo "SGW_CRYPTO variable needs to be set to \ +\"inline\" for ${SGW_CRYPTO_FLBK} fallback setting" + exit 127 + elif [[ -n "${SGW_CRYPTO_FLBK}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for ${SGW_CRYPTO_FLBK} fallback setting" + exit 127 + fi + echo "[disabled] crypto fallback mode" + fi + + # select sync/async mode + if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${DPDK_MODE}" ]]; then + echo "[enabled] crypto primary type - ${CRYPTO_PRIM_TYPE}" + SGW_CFG_XPRM_IN="${SGW_CFG_XPRM_IN} type ${CRYPTO_PRIM_TYPE}" + SGW_CFG_XPRM_OUT="${SGW_CFG_XPRM_OUT} type ${CRYPTO_PRIM_TYPE}" + else + if [[ -n "${CRYPTO_PRIM_TYPE}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for ${CRYPTO_PRIM_TYPE} crypto primary type setting" + exit 127 fi fi - #make linux to generate fragmented packets - if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then - echo "multi-segment test is enabled" - SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}" + + # make linux to generate fragmented packets + if [[ -n "${SGW_MULTI_SEG}" && -n "${DPDK_MODE}" ]]; then + echo -e "[enabled] multi-segment test is enabled\n" + SGW_CMD_XPRM="--reassemble ${SGW_MULTI_SEG}" PING_LEN=5000 MTU_LEN=1500 else - if [[ -z "${MULTI_SEG_TEST}" && "${MODE}" == *fallback* ]]; then - echo "MULTI_SEG_TEST environment variable needs to be \ -set for ${MODE} test" + if [[ -z "${SGW_MULTI_SEG}" \ + && "${SGW_CFG_XPRM_IN}" == *fallback* ]]; then + echo "SGW_MULTI_SEG environment variable needs \ +to be set for ${SGW_CRYPTO_FLBK} fallback test" exit 127 + elif [[ -n "${SGW_MULTI_SEG}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for multiple segment reassemble setting" + exit 127 fi + + echo -e "[disabled] multi-segment test\n" PING_LEN=${DEF_PING_LEN} MTU_LEN=${DEF_MTU_LEN} fi } -#setup mtu on local iface +# setup mtu on local iface set_local_mtu() { mtu=$1 @@ -105,7 +181,7 @@ config6_local_iface() ip neigh show dev ${LOCAL_IFACE} } -#configure remote host/iface +# configure remote host/iface config_remote_iface() { ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} down @@ -114,11 +190,8 @@ config_remote_iface() ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE} - # by some reason following ip neigh doesn't work for me here properly: - #ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ - # dev ${REMOTE_IFACE} lladr ${LOCAL_MAC} - # so used arp instead. - ssh ${REMOTE_HOST} arp -i ${REMOTE_IFACE} -s ${LOCAL_IPV4} ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ + dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC} ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} ssh ${REMOTE_HOST} iptables --flush @@ -139,7 +212,7 @@ config6_remote_iface() ssh ${REMOTE_HOST} ip6tables --flush } -#configure remote and local host/iface +# configure remote and local host/iface config_iface() { config_local_iface diff --git a/examples/ipsec-secgw/test/linux_test.sh b/examples/ipsec-secgw/test/linux_test.sh new file mode 100644 index 000000000..8573bcf2e --- /dev/null +++ b/examples/ipsec-secgw/test/linux_test.sh @@ -0,0 +1,141 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +# Usage: /bin/bash linux_test.sh +# can be set to: +# ipv4-ipv4 - only IPv4 traffic +# ipv4-ipv6 - IPv4 traffic over IPv6 ipsec tunnel (only for tunnel mode) +# ipv6-ipv4 - IPv6 traffic over IPv4 ipsec tunnel (only for tunnel mode) +# ipv6-ipv6 - only IPv6 traffic +# For list of available modes please refer to run_test.sh. +# +# Note that most of them require appropriate crypto PMD/device to be avaialble. +# Also user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optionally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# SGW_MODE - run ipsec-secgw in legacy mode or with use of library +# values: legacy/library (legacy on default) +# SGW_ESN - run ipsec-secgw with extended sequence number +# values: esn-on/esn-off (esn-off on default) +# SGW_ATOM - run ipsec-secgw with sequence number atomic behavior +# values: atom-on/atom-off (atom-off on default) +# SGW_CRYPTO - run ipsec-secgw with use of inline crypto +# values: inline (unset on default) +# SGW_CRYPTO_FLBK - run ipsec-secgw with crypto fallback configured +# values: cpu-crypto/lookaside-none (unset on default) +# CRYPTO_PRIM_TYPE - run ipsec-secgw with crypto primary type set +# values: cpu-crypto (unset on default) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the script +# SGW_MULTI_SEG - ipsec-secgw option to enable reassembly support and +# specify size of reassembly table (i.e. SGW_MULTI_SEG=128) +# +# The purpose of the script is to automate ipsec-secgw testing +# using another system running linux as a DUT. +# It expects that SUT and DUT are connected through at least 2 NICs. +# One NIC is expected to be managed by linux both machines, +# and will be used as a control path +# Make sure user from SUT can ssh to DUT without entering password. +# Second NIC (test-port) should be reserved for DPDK on SUT, +# and should be managed by linux on DUT. +# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. +# Then configures local tap iface and remote iface and ipsec policies +# in the following way: +# traffic going over test-port in both directions has to be +# protected by ipsec. +# Traffic going over TAP in both directions doesn't have to be protected. +# I.E: +# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS +# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS +# Then tries to perform some data transfer using the scheme decribed above. +# + +DIR=`dirname $0` +PROTO=$1 +MODE=$2 + + . ${DIR}/common_defs.sh + +select_mode + + . ${DIR}/${MODE}_defs.sh + +if [[ "${PROTO}" == "ipv4-ipv4" ]] || [[ "${PROTO}" == "ipv6-ipv6" ]]; then + config_secgw +else + config_secgw_mixed +fi + +secgw_start + + . ${DIR}/data_rxtx.sh + +if [[ "${PROTO}" == "ipv4-ipv4" ]]; then + config_iface + config_remote_xfrm_44 + set_local_mtu ${MTU_LEN} + ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV4} + st=$? + fi +elif [[ "${PROTO}" == "ipv4-ipv6" ]]; then + if [[ "${MODE}" == trs* ]]; then + echo "Cannot mix protocols in transport mode" + secgw_stop + exit 1 + fi + config6_iface + config_remote_xfrm_46 + set_local_mtu ${MTU_LEN} + ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV4} + st=$? + fi +elif [[ "${PROTO}" == "ipv6-ipv4" ]]; then + if [[ "${MODE}" == trs* ]]; then + echo "Cannot mix protocols in transport mode" + secgw_stop + exit 1 + fi + config6_iface + config_remote_xfrm_64 + + set_local_mtu ${MTU_LEN} + ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV6} + st=$? + fi +elif [[ "${PROTO}" == "ipv6-ipv6" ]]; then + config6_iface + config_remote_xfrm_66 + set_local_mtu ${MTU_LEN} + ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV6} + st=$? + fi +else + echo "Invalid " + st=128 +fi + +secgw_stop +exit $st diff --git a/examples/ipsec-secgw/test/linux_test4.sh b/examples/ipsec-secgw/test/linux_test4.sh deleted file mode 100644 index fb8ae1023..000000000 --- a/examples/ipsec-secgw/test/linux_test4.sh +++ /dev/null @@ -1,70 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -# usage: /bin/bash linux_test4.sh -# for list of available modes please refer to run_test.sh. -# ipsec-secgw (IPv4 mode) functional test script. -# -# Note that for most of them you required appropriate crypto PMD/device -# to be avaialble. -# Also user has to setup properly the following environment variables: -# SGW_PATH - path to the ipsec-secgw binary to test -# REMOTE_HOST - ip/hostname of the DUT -# REMOTE_IFACE - iface name for the test-port on DUT -# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') -# Also user can optonally setup: -# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) -# CRYPTO_DEV - crypto device to be used ('-w ') -# if none specified appropriate vdevs will be created by the scrit -# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and -# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# -# The purpose of the script is to automate ipsec-secgw testing -# using another system running linux as a DUT. -# It expects that SUT and DUT are connected through at least 2 NICs. -# One NIC is expected to be managed by linux both machines, -# and will be used as a control path -# Make sure user from SUT can ssh to DUT without entering password. -# Second NIC (test-port) should be reserved for DPDK on SUT, -# and should be managed by linux on DUT. -# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. -# Then configures local tap iface and remote iface and ipsec policies -# in the following way: -# traffic going over test-port in both directions has to be -# protected by ipsec. -# raffic going over TAP in both directions doesn't have to be protected. -# I.E: -# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS -# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS -# Then tries to perorm some data transfer using the scheme decribed above. -# - -DIR=`dirname $0` -MODE=$1 - - . ${DIR}/common_defs.sh - . ${DIR}/${MODE}_defs.sh - -select_mode - -config_secgw - -secgw_start - -config_iface - -config_remote_xfrm - - . ${DIR}/data_rxtx.sh - -set_local_mtu ${MTU_LEN} -ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} -st=$? -if [[ $st -eq 0 ]]; then - set_local_mtu ${DEF_MTU_LEN} - scp_test1 ${REMOTE_IPV4} - st=$? -fi - -secgw_stop -exit $st diff --git a/examples/ipsec-secgw/test/linux_test6.sh b/examples/ipsec-secgw/test/linux_test6.sh deleted file mode 100644 index dbcca7936..000000000 --- a/examples/ipsec-secgw/test/linux_test6.sh +++ /dev/null @@ -1,71 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -# usage: /bin/bash linux_test6.sh -# for list of available modes please refer to run_test.sh. -# ipsec-secgw (IPv6 mode) functional test script. -# -# Note that for most of them you required appropriate crypto PMD/device -# to be avaialble. -# Also user has to setup properly the following environment variables: -# SGW_PATH - path to the ipsec-secgw binary to test -# REMOTE_HOST - ip/hostname of the DUT -# REMOTE_IFACE - iface name for the test-port on DUT -# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') -# Also user can optonally setup: -# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) -# CRYPTO_DEV - crypto device to be used ('-w ') -# if none specified appropriate vdevs will be created by the scrit -# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and -# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# -# The purpose of the script is to automate ipsec-secgw testing -# using another system running linux as a DUT. -# It expects that SUT and DUT are connected through at least 2 NICs. -# One NIC is expected to be managed by linux both machines, -# and will be used as a control path. -# Make sure user from SUT can ssh to DUT without entering password, -# also make sure that sshd over ipv6 is enabled. -# Second NIC (test-port) should be reserved for DPDK on SUT, -# and should be managed by linux on DUT. -# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. -# Then configures local tap iface and remote iface and ipsec policies -# in the following way: -# traffic going over test-port in both directions has to be -# protected by ipsec. -# raffic going over TAP in both directions doesn't have to be protected. -# I.E: -# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS -# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS -# Then tries to perorm some data transfer using the scheme decribed above. -# - -DIR=`dirname $0` -MODE=$1 - - . ${DIR}/common_defs.sh - . ${DIR}/${MODE}_defs.sh - -select_mode - -config_secgw - -secgw_start - -config6_iface - -config6_remote_xfrm - - . ${DIR}/data_rxtx.sh - -set_local_mtu ${MTU_LEN} -ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} -st=$? -if [[ $st -eq 0 ]]; then - set_local_mtu ${DEF_MTU_LEN} - scp_test1 ${REMOTE_IPV6} - st=$? -fi - -secgw_stop -exit $st diff --git a/examples/ipsec-secgw/test/load_env.sh b/examples/ipsec-secgw/test/load_env.sh new file mode 100644 index 000000000..fff9176fb --- /dev/null +++ b/examples/ipsec-secgw/test/load_env.sh @@ -0,0 +1,121 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +DIR=`dirname $0` + +regular=0 +inline_on=0 +fallback_on=0 +legacy_only=0 +fallback_val="lookaside-none" +crypto_prim="" +multi_seg_val="" +while getopts ":iflsrc" opt +do + case $opt in + i) + inline_on=1 + ;; + f) + fallback_on=1 + ;; + l) + legacy_only=1 + ;; + s) + multi_seg_val="SGW_MULTI_SEG=128" + ;; + r) + regular=1 + ;; + c) + crypto_prim="CRYPTO_PRIM_TYPE=cpu-crypto" + fallback_val="cpu-crypto" + ;; + esac +done +shift $((OPTIND -1)) + +PROTO=$1 +MODE=$2 + +# test scenarios to set up for regular test +TEST_MODES_REGULAR="legacy \ +library \ +library_esn \ +library_esn_atom" + +# test scenarios to set up for inline test +TEST_MODES_INLINE="legacy_inline \ +library_inline" + +# test scenarios to set up for fallback test +TEST_MODES_FALLBACK="library_fallback" + +# env variables to export for specific test scenarios +default="SGW_MODE=legacy SGW_ESN=esn-off SGW_ATOM=atom-off SGW_CRYPTO=regular \ +SGW_CRYPTO_FLBK= ${multi_seg_val}" +legacy="${default} CRYPTO_PRIM_TYPE=" +library="${default} SGW_MODE=library ${crypto_prim}" +library_esn="${default} SGW_MODE=library SGW_ESN=esn-on ${crypto_prim}" +library_esn_atom="${default} SGW_MODE=library SGW_ESN=esn-on SGW_ATOM=atom-on \ +${crypto_prim}" +legacy_inline="${default} SGW_CRYPTO=inline CRYPTO_PRIM_TYPE=" +library_inline="${default} SGW_MODE=library SGW_CRYPTO=inline CRYPTO_PRIM_TYPE=" +library_fallback="${default} SGW_MODE=library SGW_CRYPTO=inline \ +SGW_CRYPTO_FLBK=${fallback_val} SGW_MULTI_SEG=128 CRYPTO_PRIM_TYPE=" + +# export needed env variables and run tests +if [[ ${regular} -eq 1 ]]; then + for i in ${TEST_MODES_REGULAR}; do + if [[ ${legacy_only} -eq 1 && "${i}" != *legacy* ]]; then + continue + elif [[ ${legacy_only} -eq 0 && "${i}" == *legacy* ]]; then + continue + fi + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done +elif [[ ${inline_on} -eq 1 || ${fallback_on} -eq 1 ]]; then + if [[ ${inline_on} -eq 1 ]]; then + for i in ${TEST_MODES_INLINE}; do + if [[ ${legacy_only} -eq 1 && "${i}" != *legacy* ]] + then + continue + elif [[ ${legacy_only} -eq 0 && "${i}" == *legacy* ]] + then + continue + fi + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done + fi + if [[ ${fallback_on} -eq 1 ]]; then + for i in ${TEST_MODES_FALLBACK}; do + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done + fi +fi +exit 0 diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 3e3930991..1222308bb 100755 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -1,69 +1,67 @@ #! /bin/bash # SPDX-License-Identifier: BSD-3-Clause -# usage: /bin/bash run_test.sh [-46] -# Run all defined linux_test[4,6].sh test-cases one by one -# user has to setup properly the following environment variables: -# SGW_PATH - path to the ipsec-secgw binary to test -# REMOTE_HOST - ip/hostname of the DUT -# REMOTE_IFACE - iface name for the test-port on DUT -# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') -# Also user can optonally setup: -# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) -# CRYPTO_DEV - crypto device to be used ('-w ') -# if none specified appropriate vdevs will be created by the scrit -# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and -# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# refer to linux_test[4,6].sh for more information - - -# All supported modes to test. -# naming convention: -# 'old' means that ipsec-secgw will run in legacy (non-librte_ipsec mode) +# Usage: /bin/bash run_test.sh [-46miflscph] +# Run all defined linux_test.sh test-cases one by one +# If is specified, run only that test case +# User has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optionally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the script +# SGW_MULTI_SEG - ipsec-secgw option to enable reassembly support and +# specify size of reassembly table (i.e. SGW_MULTI_SEG=128) +# Refer to linux_test.sh for more information + +# All supported modes to test: +# trs_3descbc_sha1 +# trs_aescbc_sha1 +# trs_aesctr_sha1 +# trs_aesgcm +# tun_3descbc_sha1 +# tun_aescbc_sha1 +# tun_aesctr_sha1 +# tun_aesgcm +# Naming convention: # 'tun/trs' refer to tunnel/transport mode respectively usage() { echo "Usage:" - echo -e "\t$0 -[46p]" + echo -e "\t$0 -[46miflscph] " echo -e "\t\t-4 Perform Linux IPv4 network tests" echo -e "\t\t-6 Perform Linux IPv6 network tests" + echo -e "\t\t-m Add mixed IP protocol tests to IPv4/IPv6 \ +(only with option [-46])" + echo -e "\t\t-i Run inline tests (only with option [-46])" + echo -e "\t\t-f Run fallback tests (only with option [-46])" + echo -e "\t\t-l Run tests in legacy mode" + echo -e "\t\t-s Run all tests with reassembly support \ +(on default only fallback tests use reassembly support)" + echo -e "\t\t-c Run tests with use of cpu-crypto \ +(on default lookaside-none is used)" echo -e "\t\t-p Perform packet validation tests" echo -e "\t\t-h Display this help" + echo -e "\t\t Run only specified test case i.e. tun_aesgcm" } -LINUX_TEST="tun_aescbc_sha1 \ -tun_aescbc_sha1_esn \ -tun_aescbc_sha1_esn_atom \ -tun_aesgcm \ -tun_aesgcm_esn \ -tun_aesgcm_esn_atom \ +LINUX_TEST="trs_3descbc_sha1 \ trs_aescbc_sha1 \ -trs_aescbc_sha1_esn \ -trs_aescbc_sha1_esn_atom \ -trs_aesgcm \ -trs_aesgcm_esn \ -trs_aesgcm_esn_atom \ -tun_aescbc_sha1_old \ -tun_aesgcm_old \ -trs_aescbc_sha1_old \ -trs_aesgcm_old \ -tun_aesctr_sha1 \ -tun_aesctr_sha1_old \ -tun_aesctr_sha1_esn \ -tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ -trs_aesctr_sha1_old \ -trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom \ +trs_aesgcm \ tun_3descbc_sha1 \ -tun_3descbc_sha1_old \ -tun_3descbc_sha1_esn \ -tun_3descbc_sha1_esn_atom \ -trs_3descbc_sha1 \ -trs_3descbc_sha1_old \ -trs_3descbc_sha1_esn \ -trs_3descbc_sha1_esn_atom" +tun_aescbc_sha1 \ +tun_aesctr_sha1 \ +tun_aesgcm" + +LINUX_TEST_INLINE_FALLBACK="trs_aesgcm \ +tun_aesgcm" + +LINUX_TEST_RUN="" PKT_TESTS="trs_ipv6opts \ tun_null_header_reconstruct" @@ -74,7 +72,14 @@ DIR=$(dirname $0) run4=0 run6=0 runpkt=0 -while getopts ":46ph" opt +mixed=0 +inline=0 +fallback=0 +legacy=0 +multi_seg=0 +cpu_crypto=0 +options="" +while getopts ":46miflscph" opt do case $opt in 4) @@ -83,6 +88,27 @@ do 6) run6=1 ;; + m) + mixed=1 + ;; + i) + inline=1 + ;; + f) + fallback=1 + ;; + l) + legacy=1 + options="${options} -l" + ;; + s) + multi_seg=1 + options="${options} -s" + ;; + c) + cpu_crypto=1 + options="${options} -c" + ;; p) runpkt=1 ;; @@ -98,12 +124,27 @@ do esac done +shift $((OPTIND -1)) +LINUX_TEST_RUN=$* + # no test suite has been selected if [[ ${run4} -eq 0 && ${run6} -eq 0 && ${runpkt} -eq 0 ]]; then usage exit 127 fi +# check parameters +if [[ ${legacy} -eq 1 ]] && [[ ${multi_seg} -eq 1 || ${fallback} -eq 1 \ + || ${cpu_crypto} -eq 1 ]]; then + echo "Fallback/reassembly/cpu-crypto cannot be used with legacy mode" + exit 127 +fi + +if [[ ${cpu_crypto} -eq 1 && ${inline} -eq 1 && ${fallback} -eq 0 ]]; then + echo "cpu-crypto cannot be used with inline mode" + exit 127 +fi + # perform packet processing validation tests st=0 if [ $runpkt -eq 1 ]; then @@ -118,30 +159,84 @@ if [ $runpkt -eq 1 ]; then fi fi -# perform network tests -if [[ ${run4} -eq 1 || ${run6} -eq 1 ]]; then - for i in ${LINUX_TEST}; do +desc="" + +# set inline/fallback tests if needed +if [[ ${inline} -eq 1 || ${fallback} -eq 1 ]]; then + + # add inline option if needed + if [[ ${inline} -eq 1 ]]; then + options="${options} -i" + desc="inline" + fi + # add fallback option if needed + if [[ ${fallback} -eq 1 ]]; then + options="${options} -f" + if [[ "${desc}" == "inline" ]]; then + desc="${desc} and fallback" + else + desc="fallback" + fi + fi + + # select tests to run + if [[ -z "${LINUX_TEST_RUN}" ]]; then + LINUX_TEST_RUN="${LINUX_TEST_INLINE_FALLBACK}" + fi +else + options="${options} -r" +fi + +# select tests to run +if [[ -z "${LINUX_TEST_RUN}" ]]; then + LINUX_TEST_RUN="${LINUX_TEST}" +fi + +# perform selected tests +if [[ ${run4} -eq 1 || ${run6} -eq 1 ]] ; then - echo "starting test ${i}" + for i in ${LINUX_TEST_RUN}; do + + echo "starting ${desc} test ${i}" st4=0 + st4m=0 if [[ ${run4} -ne 0 ]]; then - /bin/bash ${DIR}/linux_test4.sh ${i} + /bin/bash ${DIR}/load_env.sh ${options} ipv4-ipv4 ${i} st4=$? - echo "test4 ${i} finished with status ${st4}" + echo "${desc} test IPv4 ${i} finished with status \ +${st4}" + if [[ ${mixed} -ne 0 ]] && [[ "${i}" == tun* ]]; then + /bin/bash ${DIR}/load_env.sh ${options} \ + ipv4-ipv6 ${i} + st4m=$? + echo "${desc} test IPv4-IPv6 ${i} finished with\ + status ${st4m}" + fi fi st6=0 + st6m=0 if [[ ${run6} -ne 0 ]]; then - /bin/bash ${DIR}/linux_test6.sh ${i} + /bin/bash ${DIR}/load_env.sh ${options} ipv6-ipv6 ${i} st6=$? - echo "test6 ${i} finished with status ${st6}" + echo "${desc} test IPv6 ${i} finished with status \ +${st6}" + if [[ ${mixed} -ne 0 ]] && [[ "${i}" == tun* ]]; then + /bin/bash ${DIR}/load_env.sh ${options} \ + ipv6-ipv4 ${i} + st6m=$? + echo "${desc} test IPv6-IPv4 ${i} finished with\ + status ${st6m}" + fi fi - let "st = st4 + st6" + let "st = st4 + st6 + st4m + st6m" if [[ $st -ne 0 ]]; then - echo "ERROR test ${i} FAILED" + echo "ERROR ${desc} test ${i} FAILED" exit $st fi done fi + +echo "All tests have ended successfully" diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh index 62118bb3f..a66b0ec1e 100644 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -33,14 +33,14 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo 3des-cbc \ @@ -48,7 +48,7 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #SA out rules sa out 9 cipher_algo 3des-cbc \ @@ -56,7 +56,7 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh index a12c8b58d..bbee6a1da 100644 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/trs_3descbc_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -22,13 +22,13 @@ tmpl proto esp mode transport reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef @@ -36,9 +36,10 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -53,13 +54,13 @@ tmpl proto esp mode transport reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh deleted file mode 100644 index 44902a08b..000000000 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_3descbc_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh deleted file mode 100644 index fdd62c609..000000000 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh +++ /dev/null @@ -1,67 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_3descbc_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh deleted file mode 100644 index 634f9628d..000000000 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_3descbc_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh index 7ddeb2b5a..d92292452 100644 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh @@ -32,27 +32,27 @@ sa in 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #SA out rules sa out 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh index 9602d5041..0665a0bc6 100644 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/trs_aescbc_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -22,13 +22,13 @@ tmpl proto esp mode transport reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef @@ -36,9 +36,10 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -53,13 +54,13 @@ tmpl proto esp mode transport reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh deleted file mode 100644 index 712ea9f2e..000000000 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aescbc_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh deleted file mode 100644 index 247659fb7..000000000 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh +++ /dev/null @@ -1,67 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aescbc_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh deleted file mode 100644 index 91f70a378..000000000 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aescbc_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh index f0178355a..7d2db073b 100644 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -32,27 +32,27 @@ sa in 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #SA out rules sa out 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh index 68586c81c..3390055db 100644 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/trs_aesctr_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -22,13 +22,13 @@ tmpl proto esp mode transport reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef @@ -36,9 +36,10 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -53,13 +54,13 @@ tmpl proto esp mode transport reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh deleted file mode 100644 index 7bdde2d95..000000000 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesctr_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh deleted file mode 100644 index 011e6c748..000000000 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh +++ /dev/null @@ -1,67 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesctr_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh deleted file mode 100644 index 1f41c645c..000000000 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesctr_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh index 1d1835e17..47eef4d9b 100644 --- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh @@ -30,20 +30,20 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 #SA in rules sa in 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN} +mode transport ${SGW_CFG_XPRM_IN} sa in 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN} +mode transport ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} sa out 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM_OUT} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh index 8ed615266..48c2687d0 100644 --- a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/trs_aesgcm_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -22,13 +22,13 @@ tmpl proto esp mode transport reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 @@ -36,9 +36,10 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -52,13 +53,13 @@ tmpl proto esp mode transport reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh deleted file mode 100644 index 0b943592b..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh deleted file mode 100644 index 7580fc964..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh +++ /dev/null @@ -1,67 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl proto esp mode transport reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl proto esp mode transport reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh deleted file mode 100644 index f2c394470..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh +++ /dev/null @@ -1,7 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_defs.sh - -CRYPTO_DEV='--vdev="crypto_null0"' -SGW_CFG_XPRM='port_id 0 type inline-crypto-offload' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh deleted file mode 100644 index c00a5ba3a..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_defs.sh - -if [[ -z "${CRYPTO_FLBK_TYPE}" ]]; then - CRYPTO_FLBK_TYPE="fallback lookaside-none" -fi - -SGW_CFG_XPRM_IN="port_id 0 type inline-crypto-offload ${CRYPTO_FLBK_TYPE}" diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh deleted file mode 100644 index 3850819f8..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_inline_crypto_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh deleted file mode 100644 index 1f33d9a9f..000000000 --- a/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/trs_aesgcm_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh index d8869fad0..8804139df 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -33,14 +33,14 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo 3des-cbc \ @@ -48,14 +48,82 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} sa out 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh index 903b0fd7c..7c2d065ab 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/tun_3descbc_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -24,13 +24,13 @@ proto esp mode tunnel reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef @@ -38,9 +38,80 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -56,13 +127,13 @@ proto esp mode tunnel reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh deleted file mode 100644 index 0644ba13a..000000000 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_3descbc_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh deleted file mode 100644 index 168cc0748..000000000 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh +++ /dev/null @@ -1,71 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_3descbc_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp mode tunnel reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp mode tunnel reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp mode tunnel reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp mode tunnel reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh deleted file mode 100644 index 8355f6f4b..000000000 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_3descbc_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh index 2616926b2..9e2276997 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -32,26 +32,90 @@ sa in 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} sa out 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh index ae47994f6..b95d81458 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/tun_aescbc_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -24,13 +24,13 @@ proto esp mode tunnel reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef @@ -38,9 +38,80 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -56,13 +127,13 @@ proto esp mode tunnel reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh deleted file mode 100644 index a82b87cba..000000000 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aescbc_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh deleted file mode 100644 index b1d0e2616..000000000 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh +++ /dev/null @@ -1,71 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aescbc_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp mode tunnel reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp mode tunnel reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp mode tunnel reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp mode tunnel reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh deleted file mode 100644 index a72486a4d..000000000 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aescbc_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh index 06b561fd7..0f0111d84 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -32,26 +32,90 @@ sa in 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} sa in 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} sa out 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh index b5d8d64b0..fd92f8769 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/tun_aesctr_sha1_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -24,13 +24,13 @@ proto esp mode tunnel reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef @@ -38,9 +38,80 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -56,13 +127,13 @@ proto esp mode tunnel reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh deleted file mode 100644 index 078ef5030..000000000 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesctr_sha1_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh deleted file mode 100644 index 7990801d7..000000000 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh +++ /dev/null @@ -1,71 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesctr_sha1_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp mode tunnel reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp mode tunnel reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp mode tunnel reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp mode tunnel reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ -auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ -enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh deleted file mode 100644 index e9da4c178..000000000 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesctr_sha1_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh index d846aace5..bf4956293 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -30,22 +30,76 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 #SA in rules sa in 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \ -${SGW_CFG_XPRM_IN} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} sa in 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \ -${SGW_CFG_XPRM_IN} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} sa out 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh index 5e0c935b3..2528d02c8 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh @@ -3,9 +3,9 @@ . ${DIR}/tun_aesgcm_common_defs.sh -SGW_CMD_XPRM='-w 300 -l' +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -24,13 +24,13 @@ proto esp mode tunnel reqid 2 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 @@ -38,9 +38,80 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ @@ -56,13 +127,13 @@ proto esp mode tunnel reqid 4 ssh ${REMOTE_HOST} ip xfrm state add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 ssh ${REMOTE_HOST} ip xfrm state add \ src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ aead "rfc4106\(gcm\(aes\)\)" \ 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh deleted file mode 100644 index e3dffbea1..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_esn_defs.sh - -SGW_CMD_XPRM='-e -a -w 300 -l' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh deleted file mode 100644 index b5ced8cbf..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh +++ /dev/null @@ -1,71 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_common_defs.sh - -SGW_CMD_XPRM='-e -w 300 -l' - -config_remote_xfrm() -{ - ssh ${REMOTE_HOST} ip xfrm policy flush - ssh ${REMOTE_HOST} ip xfrm state flush - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp mode tunnel reqid 1 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp mode tunnel reqid 2 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ -proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ -proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} - -config6_remote_xfrm() -{ - config_remote_xfrm - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -dir out ptype main action allow \ -tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp mode tunnel reqid 3 - - ssh ${REMOTE_HOST} ip xfrm policy add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -dir in ptype main action allow \ -tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp mode tunnel reqid 4 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ -proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm state add \ -src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ -proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ -aead "rfc4106\(gcm\(aes\)\)" \ -0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 - - ssh ${REMOTE_HOST} ip xfrm policy list - ssh ${REMOTE_HOST} ip xfrm state list -} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh deleted file mode 100644 index c4654c8a2..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh +++ /dev/null @@ -1,7 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_defs.sh - -CRYPTO_DEV='--vdev="crypto_null0"' -SGW_CFG_XPRM='port_id 0 type inline-crypto-offload' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh deleted file mode 100644 index e098bd3a7..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_defs.sh - -if [[ -z "${CRYPTO_FLBK_TYPE}" ]]; then - CRYPTO_FLBK_TYPE="fallback lookaside-none" -fi - -SGW_CFG_XPRM_IN="port_id 0 type inline-crypto-offload ${CRYPTO_FLBK_TYPE}" diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh deleted file mode 100644 index 7830065f3..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_inline_crypto_defs.sh - -SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh deleted file mode 100644 index e9be7743a..000000000 --- a/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#! /bin/bash -# SPDX-License-Identifier: BSD-3-Clause - -. ${DIR}/tun_aesgcm_defs.sh - -SGW_CMD_XPRM= -- 2.17.1