@@ -28,38 +28,36 @@ sp ipv4 in esp protect 110 pri 1 dst 192.168.185.0/24 sport 0:65535 dport 0:6553
sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
-sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
-sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass pri 1 dst 192.168.245.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp bypass pri 1 dst 192.168.246.0/24 sport 0:65535 dport 0:65535
#SP IPv6 rules
-sp ipv6 out esp protect 5 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
+sp ipv6 out esp protect 7 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 6 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
+sp ipv6 out esp protect 8 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 10 pri 1 dst 0000:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 11 pri 1 dst 0000:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 25 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
+sp ipv6 out esp protect 27 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 26 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
+sp ipv6 out esp protect 28 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 15 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
+sp ipv6 in esp protect 107 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 16 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
+sp ipv6 in esp protect 108 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 110 pri 1 dst ffff:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 111 pri 1 dst ffff:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
+sp ipv6 in esp protect 127 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
+sp ipv6 in esp protect 128 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
#SA rules
@@ -71,6 +69,14 @@ sa out 6 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
+sa out 7 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5
+
+sa out 8 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
+
sa out 10 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
@@ -97,6 +103,18 @@ sa out 26 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
src 1111:1111:1111:1111:1111:1111:1111:6666 \
dst 2222:2222:2222:2222:2222:2222:2222:6666
+sa out 27 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
+src 1111:1111:1111:1111:1111:1111:1111:5555 \
+dst 2222:2222:2222:2222:2222:2222:2222:5555
+
+sa out 28 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
+src 1111:1111:1111:1111:1111:1111:1111:6666 \
+dst 2222:2222:2222:2222:2222:2222:2222:6666
+
sa in 105 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
@@ -105,6 +123,14 @@ sa in 106 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
+sa in 107 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
+
+sa in 108 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
+
sa in 110 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
@@ -130,6 +156,18 @@ sa in 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
src 2222:2222:2222:2222:2222:2222:2222:6666 \
dst 1111:1111:1111:1111:1111:1111:1111:6666
+sa in 127 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
+src 2222:2222:2222:2222:2222:2222:2222:5555 \
+dst 1111:1111:1111:1111:1111:1111:1111:5555
+
+sa in 128 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
+src 2222:2222:2222:2222:2222:2222:2222:6666 \
+dst 1111:1111:1111:1111:1111:1111:1111:6666
+
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 172.16.2.6/32 port 1
@@ -19,8 +19,8 @@ sp ipv4 in esp protect 15 pri 1 dst 192.168.200.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 16 pri 1 dst 192.168.201.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 25 pri 1 dst 192.168.55.0/24 sport 0:65535 dport 0:65535
sp ipv4 in esp protect 26 pri 1 dst 192.168.56.0/24 sport 0:65535 dport 0:65535
-sp ipv4 in esp bypass dst 192.168.240.0/24 sport 0:65535 dport 0:65535
-sp ipv4 in esp bypass dst 192.168.241.0/24 sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 dst 192.168.240.0/24 sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 dst 192.168.241.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 106 pri 1 dst 192.168.116.0/24 sport 0:65535 dport 0:65535
@@ -28,38 +28,36 @@ sp ipv4 out esp protect 110 pri 1 dst 192.168.185.0/24 sport 0:65535 dport 0:655
sp ipv4 out esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
-sp ipv4 out esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
-sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.245.0/24 sport 0:65535 dport 0:65535
sp ipv4 out esp bypass pri 1 dst 192.168.246.0/24 sport 0:65535 dport 0:65535
#SP IPv6 rules
-sp ipv6 in esp protect 5 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
+sp ipv6 in esp protect 7 pri 1 dst 0000:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 6 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
+sp ipv6 in esp protect 8 pri 1 dst 0000:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 10 pri 1 dst 0000:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 11 pri 1 dst 0000:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 25 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
+sp ipv6 in esp protect 27 pri 1 dst 0000:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 in esp protect 26 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
+sp ipv6 in esp protect 28 pri 1 dst 0000:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 15 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
+sp ipv6 out esp protect 107 pri 1 dst ffff:0000:0000:0000:5555:5555:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 16 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
+sp ipv6 out esp protect 108 pri 1 dst ffff:0000:0000:0000:6666:6666:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 110 pri 1 dst ffff:0000:1111:1111:0000:0000:0000:0000/96 \
sport 0:65535 dport 0:65535
sp ipv6 out esp protect 111 pri 1 dst ffff:0000:1111:1111:1111:1111:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
+sp ipv6 out esp protect 127 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 \
sport 0:65535 dport 0:65535
-sp ipv6 out esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
+sp ipv6 out esp protect 128 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
sport 0:65535 dport 0:65535
#SA rules
@@ -71,6 +69,14 @@ sa in 6 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
+sa in 7 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5
+
+sa in 8 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.1.6 dst 172.16.2.6
+
sa in 10 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
@@ -97,6 +103,18 @@ sa in 26 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
src 1111:1111:1111:1111:1111:1111:1111:6666 \
dst 2222:2222:2222:2222:2222:2222:2222:6666
+sa in 27 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
+src 1111:1111:1111:1111:1111:1111:1111:5555 \
+dst 2222:2222:2222:2222:2222:2222:2222:5555
+
+sa in 28 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
+src 1111:1111:1111:1111:1111:1111:1111:6666 \
+dst 2222:2222:2222:2222:2222:2222:2222:6666
+
sa out 105 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
@@ -105,6 +123,14 @@ sa out 106 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
+sa out 107 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
+
+sa out 108 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:\
+a0:a0:a0:a0:a0:a0:a0:a0:a0 mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
+
sa out 110 cipher_algo aes-128-cbc cipher_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1 auth_algo sha1-hmac auth_key a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:\
a1:a1:a1:a1:a1:a1:a1:a1:a1 mode transport
@@ -130,6 +156,18 @@ sa out 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
src 2222:2222:2222:2222:2222:2222:2222:6666 \
dst 1111:1111:1111:1111:1111:1111:1111:6666
+sa out 127 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
+c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
+src 2222:2222:2222:2222:2222:2222:2222:5555 \
+dst 1111:1111:1111:1111:1111:1111:1111:5555
+
+sa out 128 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d auth_algo sha1-hmac auth_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
+4d:4d:4d:4d:4d:4d:4d:4d:4d mode ipv6-tunnel \
+src 2222:2222:2222:2222:2222:2222:2222:6666 \
+dst 1111:1111:1111:1111:1111:1111:1111:6666
+
#Routing rules
rt ipv4 dst 172.16.1.5/32 port 0
rt ipv4 dst 172.16.1.6/32 port 1
@@ -80,11 +80,8 @@ config_remote_iface()
ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE}
- # by some reason following ip neigh doesn't work for me here properly:
- #ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \
- # dev ${REMOTE_IFACE} lladr ${LOCAL_MAC}
- # so used arp instead.
- ssh ${REMOTE_HOST} arp -i ${REMOTE_IFACE} -s ${LOCAL_IPV4} ${LOCAL_MAC}
+ ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \
+ dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC}
ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE}
ssh ${REMOTE_HOST} iptables --flush
similarity index 50%
rename from examples/ipsec-secgw/test/linux_test6.sh
rename to examples/ipsec-secgw/test/linux_test.sh
@@ -1,8 +1,13 @@
#! /bin/bash
-# usage: /bin/bash linux_test6.sh <ipsec_mode>
-# for list of available modes please refer to run_test.sh.
-# ipsec-secgw (IPv6 mode) functional test script.
+# usage: /bin/bash linux_test.sh <ip_protocol> <ipsec_mode>
+# <ip_protocol> can be set to:
+# ipv4-ipv4 - only IPv4 traffic
+# ipv4-ipv6 - IPv4 traffic over IPv6 ipsec tunnel (only for tunnel mode)
+# ipv6-ipv4 - IPv6 traffic over IPv4 ipsec tunnel (only for tunnel mode)
+# ipv6-ipv6 - only IPv6 traffic
+# For list of available modes please refer to run_test.sh.
+# ipsec-secgw functional test script.
#
# Note that for most of them you required appropriate crypto PMD/device
# to be avaialble.
@@ -24,7 +29,7 @@
# One NIC is expected to be managed by linux both machines,
# and will be used as a control path.
# Make sure user from SUT can ssh to DUT without entering password,
-# also make sure that sshd over ipv6 is enabled.
+# also make sure that ssh over ipv6 is enabled.
# Second NIC (test-port) should be reserved for DPDK on SUT,
# and should be managed by linux on DUT.
# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev.
@@ -32,15 +37,16 @@
# in the following way:
# traffic going over test-port in both directions has to be
# protected by ipsec.
-# raffic going over TAP in both directions doesn't have to be protected.
+# Traffic going over TAP in both directions doesn't have to be protected.
# I.E:
# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS
# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS
-# Then tries to perorm some data transfer using the scheme decribed above.
+# Then tries to perform some data transfer using the scheme decribed above.
#
DIR=`dirname $0`
-MODE=$1
+PROTO=$1
+MODE=$2
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
@@ -56,23 +62,77 @@ else
MTU_LEN=${DEF_MTU_LEN}
fi
-config_secgw
+if [[ ${PROTO} = "ipv4-ipv4" ]] || [[ ${PROTO} = "ipv6-ipv6" ]]; then
+ config_secgw
+else
+ config_secgw_mixed
+fi
secgw_start
-config6_iface
+ . ${DIR}/data_rxtx.sh
-config6_remote_xfrm
+if [[ ${PROTO} = "ipv4-ipv4" ]]; then
+ config_iface
+ config_remote_xfrm_44
- . ${DIR}/data_rxtx.sh
+ set_local_mtu ${MTU_LEN}
+ ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN}
+ st=$?
+ if [[ $st -eq 0 ]]; then
+ set_local_mtu ${DEF_MTU_LEN}
+ scp_test1 ${REMOTE_IPV4}
+ st=$?
+ fi
+elif [[ ${PROTO} = "ipv4-ipv6" ]]; then
+ if [[ ${MODE} = "trs"* ]]; then
+ echo "Cannot mix protocols in transport mode"
+ secgw_stop
+ exit 1
+ fi
+ config6_iface
+ config_remote_xfrm_46
-set_local_mtu ${MTU_LEN}
-ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN}
-st=$?
-if [[ $st -eq 0 ]]; then
- set_local_mtu ${DEF_MTU_LEN}
- scp_test1 ${REMOTE_IPV6}
+ set_local_mtu ${MTU_LEN}
+ ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN}
st=$?
+ if [[ $st -eq 0 ]]; then
+ set_local_mtu ${DEF_MTU_LEN}
+ scp_test1 ${REMOTE_IPV4}
+ st=$?
+ fi
+elif [[ ${PROTO} = "ipv6-ipv4" ]]; then
+ if [[ ${MODE} = "trs"* ]]; then
+ echo "Cannot mix protocols in transport mode"
+ secgw_stop
+ exit 1
+ fi
+ config6_iface
+ config_remote_xfrm_64
+
+ set_local_mtu ${MTU_LEN}
+ ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN}
+ st=$?
+ if [[ $st -eq 0 ]]; then
+ set_local_mtu ${DEF_MTU_LEN}
+ scp_test1 ${REMOTE_IPV6}
+ st=$?
+ fi
+elif [[ ${PROTO} = "ipv6-ipv6" ]]; then
+ config6_iface
+ config_remote_xfrm_66
+
+ set_local_mtu ${MTU_LEN}
+ ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN}
+ st=$?
+ if [[ $st -eq 0 ]]; then
+ set_local_mtu ${DEF_MTU_LEN}
+ scp_test1 ${REMOTE_IPV6}
+ st=$?
+ fi
+else
+ echo "Invalid <proto>"
+ st=128
fi
secgw_stop
deleted file mode 100644
@@ -1,78 +0,0 @@
-#! /bin/bash
-
-# usage: /bin/bash linux_test4.sh <ipsec_mode>
-# for list of available modes please refer to run_test.sh.
-# ipsec-secgw (IPv4 mode) functional test script.
-#
-# Note that for most of them you required appropriate crypto PMD/device
-# to be avaialble.
-# Also user has to setup properly the following environment variables:
-# SGW_PATH - path to the ipsec-secgw binary to test
-# REMOTE_HOST - ip/hostname of the DUT
-# REMOTE_IFACE - iface name for the test-port on DUT
-# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w <pci-id>')
-# Also user can optonally setup:
-# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0)
-# CRYPTO_DEV - crypto device to be used ('-w <pci-id>')
-# if none specified appropriate vdevs will be created by the scrit
-# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and
-# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128")
-#
-# The purpose of the script is to automate ipsec-secgw testing
-# using another system running linux as a DUT.
-# It expects that SUT and DUT are connected through at least 2 NICs.
-# One NIC is expected to be managed by linux both machines,
-# and will be used as a control path
-# Make sure user from SUT can ssh to DUT without entering password.
-# Second NIC (test-port) should be reserved for DPDK on SUT,
-# and should be managed by linux on DUT.
-# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev.
-# Then configures local tap iface and remote iface and ipsec policies
-# in the following way:
-# traffic going over test-port in both directions has to be
-# protected by ipsec.
-# raffic going over TAP in both directions doesn't have to be protected.
-# I.E:
-# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS
-# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS
-# Then tries to perorm some data transfer using the scheme decribed above.
-#
-
-DIR=`dirname $0`
-MODE=$1
-
- . ${DIR}/common_defs.sh
- . ${DIR}/${MODE}_defs.sh
-
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
-
-config_secgw
-
-secgw_start
-
-config_iface
-
-config_remote_xfrm
-
- . ${DIR}/data_rxtx.sh
-
-set_local_mtu ${MTU_LEN}
-ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN}
-st=$?
-if [[ $st -eq 0 ]]; then
- set_local_mtu ${DEF_MTU_LEN}
- scp_test1 ${REMOTE_IPV4}
- st=$?
-fi
-
-secgw_stop
-exit $st
@@ -1,7 +1,7 @@
#! /bin/bash
-# usage: /bin/bash run_test.sh [-46]
-# Run all defined linux_test[4,6].sh test-cases one by one
+# usage: /bin/bash run_test.sh [-46mp]
+# Run all defined linux_test.sh test-cases one by one
# user has to setup properly the following environment variables:
# SGW_PATH - path to the ipsec-secgw binary to test
# REMOTE_HOST - ip/hostname of the DUT
@@ -13,7 +13,7 @@
# if none specified appropriate vdevs will be created by the scrit
# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and
# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128")
-# refer to linux_test[4,6].sh for more information
+# refer to linux_test.sh for more information
# All supported modes to test.
@@ -24,9 +24,11 @@
usage()
{
echo "Usage:"
- echo -e "\t$0 -[46p]"
+ echo -e "\t$0 -[46mp]"
echo -e "\t\t-4 Perform Linux IPv4 network tests"
echo -e "\t\t-6 Perform Linux IPv6 network tests"
+ echo -e "\t\t-m Add mixed IP protocol tests to IPv4/IPv6 \
+(only with option [-46])"
echo -e "\t\t-p Perform packet validation tests"
echo -e "\t\t-h Display this help"
}
@@ -73,7 +75,8 @@ DIR=$(dirname $0)
run4=0
run6=0
runpkt=0
-while getopts ":46ph" opt
+mixed=0
+while getopts ":46mph" opt
do
case $opt in
4)
@@ -82,6 +85,9 @@ do
6)
run6=1
;;
+ m)
+ mixed=1
+ ;;
p)
runpkt=1
;;
@@ -124,20 +130,36 @@ if [[ ${run4} -eq 1 || ${run6} -eq 1 ]]; then
echo "starting test ${i}"
st4=0
+ st4m=0
if [[ ${run4} -ne 0 ]]; then
- /bin/bash ${DIR}/linux_test4.sh ${i}
+ /bin/bash ${DIR}/linux_test.sh ipv4-ipv4 ${i}
st4=$?
- echo "test4 ${i} finished with status ${st4}"
+ echo "test IPv4 ${i} finished with status ${st4}"
+
+ if [[ ${mixed} -ne 0 ]] && [[ ${i} = "tun"* ]]; then
+ /bin/bash ${DIR}/linux_test.sh ipv4-ipv6 ${i}
+ st4m=$?
+ echo "test IPv4-IPv6 ${i} finished with \
+status ${st4m}"
+ fi
fi
st6=0
+ st6m=0
if [[ ${run6} -ne 0 ]]; then
- /bin/bash ${DIR}/linux_test6.sh ${i}
+ /bin/bash ${DIR}/linux_test.sh ipv6-ipv6 ${i}
st6=$?
- echo "test6 ${i} finished with status ${st6}"
+ echo "test IPv6 ${i} finished with status ${st6}"
+
+ if [[ ${mixed} -ne 0 ]] && [[ ${i} = "tun"* ]]; then
+ /bin/bash ${DIR}/linux_test.sh ipv6-ipv4 ${i}
+ st6m=$?
+ echo "test IPv6-IPv4 ${i} finished with \
+status ${st6m}"
+ fi
fi
- let "st = st4 + st6"
+ let "st = st4 + st6 + st4m + st6m"
if [[ $st -ne 0 ]]; then
echo "ERROR test ${i} FAILED"
exit $st
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ aead "rfc4106\(gcm\(aes\)\)" \
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -35,9 +35,10 @@ aead "rfc4106\(gcm\(aes\)\)" \
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_66()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -70,3 +70,71 @@ EOF
cat ${SGW_CFG_FILE}
}
+
+config_secgw_mixed()
+{
+ cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 8 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 6 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 8 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 6 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+ cat ${SGW_CFG_FILE}
+}
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -66,3 +66,67 @@ EOF
cat ${SGW_CFG_FILE}
}
+
+config_secgw_mixed()
+{
+ cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 8 cipher_algo aes-128-cbc \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 6 cipher_algo aes-128-cbc \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 8 cipher_algo aes-128-cbc \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 6 cipher_algo aes-128-cbc \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+ cat ${SGW_CFG_FILE}
+}
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -66,3 +66,67 @@ EOF
cat ${SGW_CFG_FILE}
}
+
+config_secgw_mixed()
+{
+ cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 8 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 6 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 8 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 6 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+ cat ${SGW_CFG_FILE}
+}
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -58,3 +58,59 @@ EOF
cat ${SGW_CFG_FILE}
}
+
+config_secgw_mixed()
+{
+ cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 8 aead_algo aes-128-gcm \
+aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+
+sa in 6 aead_algo aes-128-gcm \
+aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+
+#SA out rules
+sa out 8 aead_algo aes-128-gcm \
+aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM}
+
+sa out 6 aead_algo aes-128-gcm \
+aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+ cat ${SGW_CFG_FILE}
+}
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ aead "rfc4106\(gcm\(aes\)\)" \
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
@@ -4,7 +4,7 @@
SGW_CMD_XPRM='-e -w 300'
-config_remote_xfrm()
+config_remote_xfrm_44()
{
ssh ${REMOTE_HOST} ip xfrm policy flush
ssh ${REMOTE_HOST} ip xfrm state flush
@@ -37,9 +37,80 @@ aead "rfc4106\(gcm\(aes\)\)" \
ssh ${REMOTE_HOST} ip xfrm state list
}
-config6_remote_xfrm()
+config_remote_xfrm_46()
{
- config_remote_xfrm
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_64()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+ ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \
+aead "rfc4106\(gcm\(aes\)\)" \
+0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \
+sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+ ssh ${REMOTE_HOST} ip xfrm policy list
+ ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config_remote_xfrm_66()
+{
+ ssh ${REMOTE_HOST} ip xfrm policy flush
+ ssh ${REMOTE_HOST} ip xfrm state flush
ssh ${REMOTE_HOST} ip xfrm policy add \
src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \