From patchwork Wed Jan 9 11:44:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ananyev, Konstantin" X-Patchwork-Id: 49536 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 63C021B582; Wed, 9 Jan 2019 12:45:02 +0100 (CET) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id 37BDE1B44C for ; Wed, 9 Jan 2019 12:44:58 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jan 2019 03:44:57 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,457,1539673200"; d="scan'208";a="125680742" Received: from sivswdev08.ir.intel.com (HELO localhost.localdomain) ([10.237.217.47]) by orsmga001.jf.intel.com with ESMTP; 09 Jan 2019 03:44:55 -0800 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, pablo.de.lara.guarch@intel.com, Konstantin Ananyev Date: Wed, 9 Jan 2019 11:44:09 +0000 Message-Id: <1547034250-21252-10-git-send-email-konstantin.ananyev@intel.com> X-Mailer: git-send-email 1.7.0.7 In-Reply-To: <1546547138-24965-2-git-send-email-konstantin.ananyev@intel.com> References: <1546547138-24965-2-git-send-email-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH v7 09/10] examples/ipsec-secgw: add scripts for functional test X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The purpose of these scripts is to automate ipsec-secgw functional testing. The scripts require two machines (SUT and DUT) connected through at least 2 NICs and running linux (so far tested only on Ubuntu 18.04). Introduced test-cases for the following scenarios: - Transport/Tunnel modes - AES-CBC SHA1 - AES-GCM - ESN on/off - legacy/librte_ipsec code path Signed-off-by: Konstantin Ananyev Acked-by: Radu Nicolau --- examples/ipsec-secgw/test/common_defs.sh | 162 ++++++++++++++++++ examples/ipsec-secgw/test/data_rxtx.sh | 62 +++++++ examples/ipsec-secgw/test/linux_test4.sh | 63 +++++++ examples/ipsec-secgw/test/linux_test6.sh | 64 +++++++ examples/ipsec-secgw/test/run_test.sh | 80 +++++++++ .../test/trs_aescbc_sha1_common_defs.sh | 69 ++++++++ .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh | 67 ++++++++ .../test/trs_aescbc_sha1_esn_atom_defs.sh | 5 + .../test/trs_aescbc_sha1_esn_defs.sh | 66 +++++++ .../test/trs_aescbc_sha1_old_defs.sh | 5 + .../test/trs_aesgcm_common_defs.sh | 60 +++++++ examples/ipsec-secgw/test/trs_aesgcm_defs.sh | 76 ++++++++ .../test/trs_aesgcm_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh | 66 +++++++ .../test/trs_aesgcm_inline_crypto_defs.sh | 6 + .../test/trs_aesgcm_inline_crypto_old_defs.sh | 5 + .../ipsec-secgw/test/trs_aesgcm_old_defs.sh | 5 + .../test/tun_aescbc_sha1_common_defs.sh | 68 ++++++++ .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh | 70 ++++++++ .../test/tun_aescbc_sha1_esn_atom_defs.sh | 5 + .../test/tun_aescbc_sha1_esn_defs.sh | 70 ++++++++ .../test/tun_aescbc_sha1_old_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh | 60 +++++++ examples/ipsec-secgw/test/tun_aesgcm_defs.sh | 80 +++++++++ .../test/tun_aesgcm_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh | 70 ++++++++ .../test/tun_aesgcm_inline_crypto_defs.sh | 6 + .../test/tun_aesgcm_inline_crypto_old_defs.sh | 5 + .../ipsec-secgw/test/tun_aesgcm_old_defs.sh | 5 + 29 files changed, 1315 insertions(+) create mode 100644 examples/ipsec-secgw/test/common_defs.sh create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh create mode 100644 examples/ipsec-secgw/test/linux_test4.sh create mode 100644 examples/ipsec-secgw/test/linux_test6.sh create mode 100644 examples/ipsec-secgw/test/run_test.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh new file mode 100644 index 000000000..1ed31f89f --- /dev/null +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -0,0 +1,162 @@ +#! /bin/bash + +#check that env vars are properly defined + +#check SGW_PATH +if [[ -z "${SGW_PATH}" || ! -x ${SGW_PATH} ]]; then + echo "SGW_PATH is invalid" + exit 127 +fi + +#check ETH_DEV +if [[ -z "${ETH_DEV}" ]]; then + echo "ETH_DEV is invalid" + exit 127 +fi + +#setup SGW_LCORE +SGW_LCORE=${SGW_LCORE:-0} + +#check that REMOTE_HOST is reachable +ssh ${REMOTE_HOST} echo +st=$? +if [[ $st -ne 0 ]]; then + echo "host ${REMOTE_HOST} is not reachable" + exit $st +fi + +#get ether addr of REMOTE_HOST +REMOTE_MAC=`ssh ${REMOTE_HOST} ip addr show dev ${REMOTE_IFACE}` +st=$? +REMOTE_MAC=`echo ${REMOTE_MAC} | sed -e 's/^.*ether //' -e 's/ brd.*$//'` +if [[ $st -ne 0 || -z "${REMOTE_MAC}" ]]; then + echo "coouldn't retrieve ether addr from ${REMOTE_IFACE}" + exit 127 +fi + +LOCAL_IFACE=dtap0 + +LOCAL_MAC="00:64:74:61:70:30" + +REMOTE_IPV4=192.168.31.14 +LOCAL_IPV4=192.168.31.92 + +REMOTE_IPV6=fd12:3456:789a:0031:0000:0000:0000:0014 +LOCAL_IPV6=fd12:3456:789a:0031:0000:0000:0000:0092 + +DPDK_PATH=${RTE_SDK:-${PWD}} +DPDK_BUILD=${RTE_TARGET:-x86_64-native-linuxapp-gcc} + +SGW_OUT_FILE=./ipsec-secgw.out1 + +SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" +SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" +SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" + +SGW_CFG_FILE=$(tempfile) + +# configure local host/ifaces +config_local_iface() +{ + ifconfig ${LOCAL_IFACE} ${LOCAL_IPV4}/24 mtu 1400 up + ifconfig ${LOCAL_IFACE} + + ip neigh flush dev ${LOCAL_IFACE} + ip neigh add ${REMOTE_IPV4} dev ${LOCAL_IFACE} lladdr ${REMOTE_MAC} + ip neigh show dev ${LOCAL_IFACE} +} + +config6_local_iface() +{ + config_local_iface + + sysctl -w net.ipv6.conf.${LOCAL_IFACE}.disable_ipv6=0 + ip addr add ${LOCAL_IPV6}/64 dev ${LOCAL_IFACE} + + sysctl -w net.ipv6.conf.${LOCAL_IFACE}.mtu=1300 + + ip -6 neigh add ${REMOTE_IPV6} dev ${LOCAL_IFACE} lladdr ${REMOTE_MAC} + ip neigh show dev ${LOCAL_IFACE} +} + +#configure remote host/iface +config_remote_iface() +{ + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} down + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} ${REMOTE_IPV4}/24 up + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE} + + # by some reason following ip neigh doesn't work for me here properly: + #ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ + # dev ${REMOTE_IFACE} lladr ${LOCAL_MAC} + # so used arp instead. + ssh ${REMOTE_HOST} arp -i ${REMOTE_IFACE} -s ${LOCAL_IPV4} ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} iptables --flush +} + +config6_remote_iface() +{ + config_remote_iface + + ssh ${REMOTE_HOST} sysctl -w \ + net.ipv6.conf.${REMOTE_IFACE}.disable_ipv6=0 + ssh ${REMOTE_HOST} ip addr add ${REMOTE_IPV6}/64 dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip -6 neigh add ${LOCAL_IPV6} \ + dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip6tables --flush +} + +#configure remote and local host/iface +config_iface() +{ + config_local_iface + config_remote_iface +} + +config6_iface() +{ + config6_local_iface + config6_remote_iface +} + +#start ipsec-secgw +secgw_start() +{ + SGW_EXEC_FILE=$(tempfile) + cat < ${SGW_EXEC_FILE} +${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ +--vdev="net_tap0,mac=fixed" \ +-- ${SGW_CMD_PRM} ${SGW_CMD_XPRM} -f ${SGW_CFG_FILE} > \ +${SGW_OUT_FILE} 2>&1 & +p=\$! +echo \$p +EOF + + cat ${SGW_EXEC_FILE} + SGW_PID=`/bin/bash -x ${SGW_EXEC_FILE}` + + # wait till ipsec-secgw start properly + i=0 + st=1 + while [[ $i -ne 10 && st -ne 0 ]]; do + sleep 1 + ifconfig ${LOCAL_IFACE} + st=$? + let i++ + done +} + +#stop ipsec-secgw and cleanup +secgw_stop() +{ + kill ${SGW_PID} + rm -f ${SGW_EXEC_FILE} + rm -f ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/data_rxtx.sh b/examples/ipsec-secgw/test/data_rxtx.sh new file mode 100644 index 000000000..f23a6d594 --- /dev/null +++ b/examples/ipsec-secgw/test/data_rxtx.sh @@ -0,0 +1,62 @@ +#! /bin/bash + +TCP_PORT=22222 + +ping_test1() +{ + dst=$1 + + i=0 + st=0 + while [[ $i -ne 1200 && $st -eq 0 ]]; + do + let i++ + ping -c 1 -s ${i} ${dst} + st=$? + done + + if [[ $st -ne 0 ]]; then + echo "ERROR: $0 failed for dst=${dst}, sz=${i}" + fi + return $st; +} + +ping6_test1() +{ + dst=$1 + + i=0 + st=0 + while [[ $i -ne 1200 && $st -eq 0 ]]; + do + let i++ + ping6 -c 1 -s ${i} ${dst} + st=$? + done + + if [[ $st -ne 0 ]]; then + echo "ERROR: $0 failed for dst=${dst}, sz=${i}" + fi + return $st; +} + +scp_test1() +{ + dst=$1 + + for sz in 1234 23456 345678 4567890 56789102 ; do + x=`basename $0`.${sz} + dd if=/dev/urandom of=${x} bs=${sz} count=1 + scp ${x} [${dst}]:${x} + scp [${dst}]:${x} ${x}.copy1 + diff -u ${x} ${x}.copy1 + st=$? + rm -f ${x} ${x}.copy1 + ssh ${REMOTE_HOST} rm -f ${x} + if [[ $st -ne 0 ]]; then + return $st + fi + done + + return 0; +} diff --git a/examples/ipsec-secgw/test/linux_test4.sh b/examples/ipsec-secgw/test/linux_test4.sh new file mode 100644 index 000000000..d636f5604 --- /dev/null +++ b/examples/ipsec-secgw/test/linux_test4.sh @@ -0,0 +1,63 @@ +#! /bin/bash + +# usage: /bin/bash linux_test4.sh +# for list of available modes please refer to run_test.sh. +# ipsec-secgw (IPv4 mode) functional test script. +# +# Note that for most of them you required appropriate crypto PMD/device +# to be avaialble. +# Also user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optonally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the scrit +# +# The purpose of the script is to automate ipsec-secgw testing +# using another system running linux as a DUT. +# It expects that SUT and DUT are connected through at least 2 NICs. +# One NIC is expected to be managed by linux both machines, +# and will be used as a control path +# Make sure user from SUT can ssh to DUT without entering password. +# Second NIC (test-port) should be reserved for DPDK on SUT, +# and should be managed by linux on DUT. +# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. +# Then configures local tap iface and remote iface and ipsec policies +# in the following way: +# traffic going over test-port in both directions has to be +# protected by ipsec. +# raffic going over TAP in both directions doesn't have to be protected. +# I.E: +# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS +# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS +# Then tries to perorm some data transfer using the scheme decribed above. +# + +DIR=`dirname $0` +MODE=$1 + + . ${DIR}/common_defs.sh + . ${DIR}/${MODE}_defs.sh + +config_secgw + +secgw_start + +config_iface + +config_remote_xfrm + + . ${DIR}/data_rxtx.sh + +ping_test1 ${REMOTE_IPV4} +st=$? +if [[ $st -eq 0 ]]; then + scp_test1 ${REMOTE_IPV4} + st=$? +fi + +secgw_stop +exit $st diff --git a/examples/ipsec-secgw/test/linux_test6.sh b/examples/ipsec-secgw/test/linux_test6.sh new file mode 100644 index 000000000..e30f607d8 --- /dev/null +++ b/examples/ipsec-secgw/test/linux_test6.sh @@ -0,0 +1,64 @@ +#! /bin/bash + +# usage: /bin/bash linux_test6.sh +# for list of available modes please refer to run_test.sh. +# ipsec-secgw (IPv6 mode) functional test script. +# +# Note that for most of them you required appropriate crypto PMD/device +# to be avaialble. +# Also user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optonally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the scrit +# +# The purpose of the script is to automate ipsec-secgw testing +# using another system running linux as a DUT. +# It expects that SUT and DUT are connected through at least 2 NICs. +# One NIC is expected to be managed by linux both machines, +# and will be used as a control path. +# Make sure user from SUT can ssh to DUT without entering password, +# also make sure that sshd over ipv6 is enabled. +# Second NIC (test-port) should be reserved for DPDK on SUT, +# and should be managed by linux on DUT. +# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. +# Then configures local tap iface and remote iface and ipsec policies +# in the following way: +# traffic going over test-port in both directions has to be +# protected by ipsec. +# raffic going over TAP in both directions doesn't have to be protected. +# I.E: +# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS +# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS +# Then tries to perorm some data transfer using the scheme decribed above. +# + +DIR=`dirname $0` +MODE=$1 + + . ${DIR}/common_defs.sh + . ${DIR}/${MODE}_defs.sh + +config_secgw + +secgw_start + +config6_iface + +config6_remote_xfrm + + . ${DIR}/data_rxtx.sh + +ping6_test1 ${REMOTE_IPV6} +st=$? +if [[ $st -eq 0 ]]; then + scp_test1 ${REMOTE_IPV6} + st=$? +fi + +secgw_stop +exit $st diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh new file mode 100644 index 000000000..6dc0ce54e --- /dev/null +++ b/examples/ipsec-secgw/test/run_test.sh @@ -0,0 +1,80 @@ +#! /bin/bash + +# usage: /bin/bash run_test.sh [-46] +# Run all defined linux_test[4,6].sh test-cases one by one +# user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') +# Also user can optonally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w ') +# if none specified appropriate vdevs will be created by the scrit +# refer to linux_test1.sh for more information + +# All supported modes to test. +# naming convention: +# 'old' means that ipsec-secgw will run in legacy (non-librte_ipsec mode) +# 'tun/trs' refer to tunnel/transport mode respectively +LINUX_TEST="tun_aescbc_sha1 \ +tun_aescbc_sha1_esn \ +tun_aescbc_sha1_esn_atom \ +tun_aesgcm \ +tun_aesgcm_esn \ +tun_aesgcm_esn_atom \ +trs_aescbc_sha1 \ +trs_aescbc_sha1_esn \ +trs_aescbc_sha1_esn_atom \ +trs_aesgcm \ +trs_aesgcm_esn \ +trs_aesgcm_esn_atom \ +tun_aescbc_sha1_old \ +tun_aesgcm_old \ +trs_aescbc_sha1_old \ +trs_aesgcm_old" + +DIR=`dirname $0` + +# get input options +st=0 +run4=0 +run6=0 +while [[ ${st} -eq 0 ]]; do + getopts ":46" opt + st=$? + if [[ "${opt}" == "4" ]]; then + run4=1 + elif [[ "${opt}" == "6" ]]; then + run6=1 + fi +done + +if [[ ${run4} -eq 0 && {run6} -eq 0 ]]; then + exit 127 +fi + +for i in ${LINUX_TEST}; do + + echo "starting test ${i}" + + st4=0 + if [[ ${run4} -ne 0 ]]; then + /bin/bash ${DIR}/linux_test4.sh ${i} + st4=$? + echo "test4 ${i} finished with status ${st4}" + fi + + st6=0 + if [[ ${run6} -ne 0 ]]; then + /bin/bash ${DIR}/linux_test6.sh ${i} + st6=$? + echo "test6 ${i} finished with status ${st6}" + fi + + let "st = st4 + st6" + if [[ $st -ne 0 ]]; then + echo "ERROR test ${i} FAILED" + exit $st + fi +done diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..e2621e0df --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh new file mode 100644 index 000000000..d68552fce --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..f16222e11 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh new file mode 100644 index 000000000..ce7c977a3 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh new file mode 100644 index 000000000..a3abb6103 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh new file mode 100644 index 000000000..f6c5bf5a7 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh @@ -0,0 +1,60 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM} + +sa in 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM} + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM} + +sa out 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh new file mode 100644 index 000000000..a4d902be0 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh @@ -0,0 +1,76 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list + + # to overcome problem with ipsec-secgw for inline mode, + # when first packet(s) will be always dropped. + # note that ping will fail here + ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4} +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list + + # to overcome problem with ipsec-secgw for inline mode, + # when first packet(s) will be always dropped. + # note that ping will fail here + ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV6} +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh new file mode 100644 index 000000000..80d8d63b8 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh new file mode 100644 index 000000000..94958d199 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh new file mode 100644 index 000000000..de6048d68 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_defs.sh @@ -0,0 +1,6 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +CRYPTO_DEV='--vdev="crypto_null0"' +SGW_CFG_XPRM='port_id 0 type inline-crypto-offload' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh new file mode 100644 index 000000000..05230496f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_inline_crypto_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh new file mode 100644 index 000000000..951e6b68f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..4025da232 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh new file mode 100644 index 000000000..18aade3a9 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..6b4a82149 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh new file mode 100644 index 000000000..28c1125d6 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh new file mode 100644 index 000000000..3c0d8d1b1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh new file mode 100644 index 000000000..278377967 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -0,0 +1,60 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} + +sa in 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} + +sa out 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh new file mode 100644 index 000000000..1764ef681 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh @@ -0,0 +1,80 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list + + # to overcome problem with ipsec-secgw for inline mode, + # when first packet(s) will be always dropped. + # note that ping will fail here + ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4} +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list + + # to overcome problem with ipsec-secgw for inline mode, + # when first packet(s) will be always dropped. + # note that ping will fail here + ssh ${REMOTE_HOST} ping6 -c 1 ${LOCAL_IPV6} +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh new file mode 100644 index 000000000..dab1460c8 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh new file mode 100644 index 000000000..606232349 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh new file mode 100644 index 000000000..eafefe7ae --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_defs.sh @@ -0,0 +1,6 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +CRYPTO_DEV='--vdev="crypto_null0"' +SGW_CFG_XPRM='port_id 0 type inline-crypto-offload' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh new file mode 100644 index 000000000..de659610c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_inline_crypto_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh new file mode 100644 index 000000000..e0a015e21 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +SGW_CMD_XPRM=