From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id C37D71B5B3 for ; Fri, 30 Nov 2018 18:04:38 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Nov 2018 09:04:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,299,1539673200"; d="scan'208";a="293697603" Received: from sivswdev08.ir.intel.com (HELO localhost.localdomain) ([10.237.217.47]) by fmsmga006.fm.intel.com with ESMTP; 30 Nov 2018 09:04:36 -0800 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, radu.nicolau@intel.com, Konstantin Ananyev Date: Fri, 30 Nov 2018 17:04:20 +0000 Message-Id: <1543597460-6962-8-git-send-email-konstantin.ananyev@intel.com> X-Mailer: git-send-email 1.7.0.7 In-Reply-To: <1542912591-20403-2-git-send-email-konstantin.ananyev@intel.com> References: <1542912591-20403-2-git-send-email-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH v2 7/7] examples/ipsec-secgw: add scripts for functional test X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2018 17:04:39 -0000 The purpose of these scripts is to automate ipsec-secgw functional testing. The scripts require two machines (SUT and DUT) connected through at least 2 NICs and running linux (so far tested only on Ubuntu 18.04). Introduced test-cases for the following scenarios: - Transport/Tunnel modes - AES-CBC SHA1 - AES-GCM - ESN on/off - legacy/librte_ipsec code path Signed-off-by: Konstantin Ananyev --- examples/ipsec-secgw/test/common_defs.sh | 113 ++++++++++++++++++ examples/ipsec-secgw/test/data_rxtx.sh | 70 +++++++++++ examples/ipsec-secgw/test/linux_test1.sh | 62 ++++++++++ examples/ipsec-secgw/test/run_test.sh | 48 ++++++++ .../test/trs_aescbc_sha1_common_defs.sh | 42 +++++++ .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh | 38 ++++++ .../test/trs_aescbc_sha1_esn_atom_defs.sh | 5 + .../test/trs_aescbc_sha1_esn_defs.sh | 36 ++++++ .../test/trs_aescbc_sha1_old_defs.sh | 5 + .../test/trs_aesgcm_common_defs.sh | 38 ++++++ examples/ipsec-secgw/test/trs_aesgcm_defs.sh | 37 ++++++ .../test/trs_aesgcm_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh | 36 ++++++ .../ipsec-secgw/test/trs_aesgcm_old_defs.sh | 5 + .../test/tun_aescbc_sha1_common_defs.sh | 42 +++++++ .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh | 38 ++++++ .../test/tun_aescbc_sha1_esn_atom_defs.sh | 5 + .../test/tun_aescbc_sha1_esn_defs.sh | 38 ++++++ .../test/tun_aescbc_sha1_old_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh | 38 ++++++ examples/ipsec-secgw/test/tun_aesgcm_defs.sh | 38 ++++++ .../test/tun_aesgcm_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh | 38 ++++++ .../ipsec-secgw/test/tun_aesgcm_old_defs.sh | 5 + 24 files changed, 792 insertions(+) create mode 100644 examples/ipsec-secgw/test/common_defs.sh create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh create mode 100644 examples/ipsec-secgw/test/linux_test1.sh create mode 100644 examples/ipsec-secgw/test/run_test.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh new file mode 100644 index 000000000..835eca41d --- /dev/null +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -0,0 +1,113 @@ +#! /bin/bash + +#check that env vars are properly defined + +#check SGW_PATH +if [[ -z "${SGW_PATH}" || ! -x ${SGW_PATH} ]]; then + echo "SGW_PATH is invalid" + exit 127 +fi + +#check ETH_DEV +if [[ -z "${ETH_DEV}" ]]; then + echo "ETH_DEV is invalid" + exit 127 +fi + +#setup SGW_LCORE +SGW_LCORE=${SGW_LCORE:-0} + +#check that REMOTE_HOST is reachable +ssh ${REMOTE_HOST} echo +st=$? +if [[ $st -ne 0 ]]; then + echo "host ${REMOTE_HOST} is not reachable" + exit $st +fi + +#get ether addr of REMOTE_HOST +REMOTE_MAC=`ssh ${REMOTE_HOST} ip addr show dev ${REMOTE_IFACE}` +st=$? +REMOTE_MAC=`echo ${REMOTE_MAC} | sed -e 's/^.*ether //' -e 's/ brd.*$//'` +if [[ $st -ne 0 || -z "${REMOTE_MAC}" ]]; then + echo "coouldn't retrieve ether addr from ${REMOTE_IFACE}" + exit 127 +fi + +LOCAL_IFACE=dtap0 + +LOCAL_MAC="00:64:74:61:70:30" + +REMOTE_IPV4=192.168.31.14 +LOCAL_IPV4=192.168.31.92 + +DPDK_PATH=${RTE_SDK:-${PWD}} +DPDK_BUILD=${RTE_TARGET:-x86_64-native-linuxapp-gcc} + +SGW_OUT_FILE=./ipsec-secgw.out1 + +SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" +SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" +SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" + +SGW_CFG_FILE=$(tempfile) + +# configure local host/ifaces +config_local_iface() +{ + ifconfig ${LOCAL_IFACE} ${LOCAL_IPV4}/24 mtu 1440 up + ifconfig ${LOCAL_IFACE} + + ip neigh flush dev ${LOCAL_IFACE} + arp -i ${LOCAL_IFACE} -s ${REMOTE_IPV4} ${LOCAL_MAC} + ip neigh show +} + +#configure remote host/iface +config_remote_iface() +{ + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} down + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} ${REMOTE_IPV4}/24 up + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE} + + # by some reason following ip neigh doesn't work for me here properly: + #ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} lladr ${LOCAL_MAC} \ + # dev ${REMOTE_IFACE} + # so used arp instead. + ssh ${REMOTE_HOST} arp -i ${REMOTE_IFACE} -s ${LOCAL_IPV4} ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh show +} + +config_iface() +{ + config_local_iface + config_remote_iface +} + +#start ipsec-secgw +secgw_start() +{ + SGW_EXEC_FILE=$(tempfile) + cat < ${SGW_EXEC_FILE} +${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ +--vdev="net_tap0,mac=fixed" \ +-- ${SGW_CMD_PRM} ${SGW_CMD_XPRM} -f ${SGW_CFG_FILE} > \ +${SGW_OUT_FILE} 2>&1 & +p=\$! +echo \$p +EOF + + cat ${SGW_EXEC_FILE} + SGW_PID=`/bin/bash -x ${SGW_EXEC_FILE}` + sleep 1 +} + +#stop ipsec-secgw and cleanup +secgw_stop() +{ + kill ${SGW_PID} + rm -f ${SGW_EXEC_FILE} + rm -f ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/data_rxtx.sh b/examples/ipsec-secgw/test/data_rxtx.sh new file mode 100644 index 000000000..f2ff96eff --- /dev/null +++ b/examples/ipsec-secgw/test/data_rxtx.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +TCP_PORT=22222 + +ping_test1() +{ + dst=$1 + + i=0 + st=0 + while [[ $i -ne 1400 && $st -eq 0 ]]; + do + let i++ + ping -c 1 -s ${i} ${dst} + st=$? + done + + if [[ $st -ne 0 ]]; then + echo "ERROR: $0 failed for dst=${dst}, sz=${i}" + fi + return $st; +} + +scp_test1() +{ + for sz in 1234 23456 345678 4567890 56789102 ; do + x=$(tempfile) + dd if=/dev/urandom of=${x}.in bs=${sz} count=1 + scp ${x} ${REMOTE_IPV4}:${x} + scp ${REMOTE_IPV4}:${x} ${x}.copy1 + diff -u ${x} ${x}.copy1 + st=$? + rm -f ${x} ${x}.out + ssh ${REMOTE_HOST} rm -f ${x} + if [[ $st -ne 0 ]]; then + return $st + fi + done + + return 0; +} + +tcp_test1() +{ + for sz in 1234 23456 345678 4567890 56789102 ; do + x=`basename $0`.${sz} + rcmd=$(tempfile) + lcmd=$(tempfile) + dd if=/dev/urandom of=${x} bs=${sz} count=1 + echo "nc -l ${REMOTE_IPV4} ${TCP_PORT} > ${x}; \ + nc -q 0 ${LOCAL_IPV4} ${TCP_PORT} < ${x}; \ + rm -f ${x}" > ${rcmd} + echo "nc -l ${LOCAL_IPV4} ${TCP_PORT} > ${x}.copy" > ${lcmd} + scp ${rcmd} ${REMOTE_HOST}:${rcmd} + ssh ${REMOTE_HOST} /bin/bash -x ${rcmd} & + /bin/bash -x ${lcmd} & + sleep 1 + nc -q 0 ${REMOTE_IPV4} ${TCP_PORT} < ${x} + wait + diff -u ${x} ${x}.copy + st=$? + rm -f ${x} ${x}.copy ${rcmd} ${lcmd} + ssh ${REMOTE_HOST} rm -f ${rcmd} + if [[ $st -ne 0 ]]; then + return $st + fi + done + + return $st; +} diff --git a/examples/ipsec-secgw/test/linux_test1.sh b/examples/ipsec-secgw/test/linux_test1.sh new file mode 100644 index 000000000..8265ba6ea --- /dev/null +++ b/examples/ipsec-secgw/test/linux_test1.sh @@ -0,0 +1,62 @@ +#! /bin/bash + +# usage: /bin/bash linux_test1.sh +# for list of available modes please refer to run_test.sh. +# +# Note that for most of them you required appropriate crypto PMD/device +# to be avaialble. +# Also user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optonally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the scrit +# +# The purpose of the script is to automate ipsec-secgw testing +# using another system running linux as a DUT. +# It expects that SUT and DUT are connected through at least 2 NICs. +# One NIC is expected to be managed by linux both machines, +# and will be used as a control path +# (make sure user from SUT can ssh to DUT without entering password). +# Second NIC (test-port) should be reserved for DPDK on SUT, +# and should be managed by linux on DUT. +# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. +# Then configures local tap iface and remote iface and ipsec policies +# in the following way: +# traffic going over test-port in both directions has to be +# protected by ipsec. +# raffic going over TAP in both directions doesn't have to be protected. +# I.E: +# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS +# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS +# Then tries to perorm some data transfer using the scheme decribed above. +# + +DIR=`dirname $0` +MODE=$1 + + . ${DIR}/common_defs.sh + . ${DIR}/${MODE}_defs.sh + +config_secgw + +secgw_start + +config_iface + +config_remote_xfrm + + . ${DIR}/data_rxtx.sh + +ping_test1 ${REMOTE_IPV4} +st=$? +if [[ $st -eq 0 ]]; then + tcp_test1 + st=$? +fi + +secgw_stop +exit $st diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh new file mode 100644 index 000000000..7d0298819 --- /dev/null +++ b/examples/ipsec-secgw/test/run_test.sh @@ -0,0 +1,48 @@ +#! /bin/bash + +# usage: /bin/bash run_test.sh +# Run all defined linux_test1 test-cases one by one +# user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optonally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the scrit +# refer to linux_test1.sh for more information + +# All supported modes to test. +# naming convention: +# 'old' means that ipsec-secgw will run in legacy (non-librte_ipsec mode) +# 'tun/trs' refer to tunnel/transport mode respectively +LINUX_TEST1="tun_aescbc_sha1 \ +tun_aescbc_sha1_esn \ +tun_aescbc_sha1_esn_atom \ +tun_aesgcm \ +tun_aesgcm_esn \ +tun_aesgcm_esn_atom \ +trs_aescbc_sha1 \ +trs_aescbc_sha1_esn \ +trs_aescbc_sha1_esn_atom \ +trs_aesgcm \ +trs_aesgcm_esn \ +trs_aesgcm_esn_atom \ +tun_aescbc_sha1_old \ +tun_aesgcm_old \ +trs_aescbc_sha1_old \ +trs_aesgcm_old" + +DIR=`dirname $0` + +for i in ${LINUX_TEST1}; do + echo "starting test ${i}" + /bin/bash ${DIR}/linux_test1.sh ${i} + st=$? + echo "test ${i} finished with status ${st}" + if [[ $st -ne 0 ]]; then + echo "ERROR test ${i} FAILED" + exit $st + fi +done diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..40bea68a0 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh @@ -0,0 +1,42 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh new file mode 100644 index 000000000..db4720abc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..f16222e11 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh new file mode 100644 index 000000000..04f335023 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh @@ -0,0 +1,36 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh new file mode 100644 index 000000000..a3abb6103 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh new file mode 100644 index 000000000..239782d96 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh new file mode 100644 index 000000000..bc89522b0 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh @@ -0,0 +1,37 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh new file mode 100644 index 000000000..80d8d63b8 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh new file mode 100644 index 000000000..c0f3021e9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh @@ -0,0 +1,36 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh new file mode 100644 index 000000000..951e6b68f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..630808c21 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -0,0 +1,42 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +sp ipv4 in esp protect 7 pri 2 src 192.168.0.0/16 dst 192.168.0.0/16 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src 192.168.0.0/16 dst 192.168.0.0/16 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh new file mode 100644 index 000000000..2f6ffaeeb --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..6b4a82149 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh new file mode 100644 index 000000000..0ca7684bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh new file mode 100644 index 000000000..3c0d8d1b1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh new file mode 100644 index 000000000..bebd38145 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +sp ipv4 in esp protect 7 pri 2 src 192.168.0.0/16 dst 192.168.0.0/16 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src 192.168.0.0/16 dst 192.168.0.0/16 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh new file mode 100644 index 000000000..d0bb9afae --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh new file mode 100644 index 000000000..dab1460c8 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh new file mode 100644 index 000000000..814d5f016 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh @@ -0,0 +1,38 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh new file mode 100644 index 000000000..e0a015e21 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +SGW_CMD_XPRM= -- 2.17.1