From patchwork Thu Sep 5 12:35:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mariusz Drost X-Patchwork-Id: 58648 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 8005F1EFE7; Thu, 5 Sep 2019 14:36:40 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 25BB21EFDD for ; Thu, 5 Sep 2019 14:36:38 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Sep 2019 05:36:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,470,1559545200"; d="scan'208";a="199272201" Received: from mdrostx-mobl.ger.corp.intel.com ([10.103.104.98]) by fmsmga001.fm.intel.com with ESMTP; 05 Sep 2019 05:36:34 -0700 From: Mariusz Drost To: radu.nicolau@intel.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, Mariusz Drost , Lukasz Bartosik Date: Thu, 5 Sep 2019 14:35:23 +0200 Message-Id: <20190905123523.172-3-mariuszx.drost@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20190905123523.172-1-mariuszx.drost@intel.com> References: <20190905123523.172-1-mariuszx.drost@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: tests for split SAD X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Test scripts updated to reflect change of SAD (split into IPv4 SAD and IPv6 SAD). New parameter added to run_test.sh for performing tests with mixed IP version, eg. IPv4 ipsec tunnel with IPv6 traffic. Bugzilla ID: 239 Fixes: 5a032a71c6d3 ("examples/ipsec-secgw: make app to use IPsec library") Reported-by: Lukasz Bartosik Signed-off-by: Mariusz Drost --- examples/ipsec-secgw/test/common_defs.sh | 7 +- examples/ipsec-secgw/test/linux_test4.sh | 78 ------------------ examples/ipsec-secgw/test/linux_test6.sh | 79 ------------------- examples/ipsec-secgw/test/run_test.sh | 42 +++++++--- .../ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 7 +- .../test/trs_3descbc_sha1_esn_defs.sh | 7 +- .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh | 7 +- .../test/trs_aescbc_sha1_esn_defs.sh | 7 +- .../ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 7 +- .../test/trs_aesctr_sha1_esn_defs.sh | 7 +- examples/ipsec-secgw/test/trs_aesgcm_defs.sh | 7 +- .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh | 7 +- .../test/tun_3descbc_sha1_common_defs.sh | 68 ++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 77 +++++++++++++++++- .../test/tun_3descbc_sha1_esn_defs.sh | 77 +++++++++++++++++- .../test/tun_aescbc_sha1_common_defs.sh | 64 +++++++++++++++ .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh | 77 +++++++++++++++++- .../test/tun_aescbc_sha1_esn_defs.sh | 77 +++++++++++++++++- .../test/tun_aesctr_sha1_common_defs.sh | 64 +++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 77 +++++++++++++++++- .../test/tun_aesctr_sha1_esn_defs.sh | 77 +++++++++++++++++- .../test/tun_aesgcm_common_defs.sh | 56 +++++++++++++ examples/ipsec-secgw/test/tun_aesgcm_defs.sh | 77 +++++++++++++++++- .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh | 77 +++++++++++++++++- 24 files changed, 910 insertions(+), 220 deletions(-) delete mode 100644 examples/ipsec-secgw/test/linux_test4.sh delete mode 100644 examples/ipsec-secgw/test/linux_test6.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 09689af78..911857a60 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -80,11 +80,8 @@ config_remote_iface() ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE} - # by some reason following ip neigh doesn't work for me here properly: - #ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ - # dev ${REMOTE_IFACE} lladr ${LOCAL_MAC} - # so used arp instead. - ssh ${REMOTE_HOST} arp -i ${REMOTE_IFACE} -s ${LOCAL_IPV4} ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ + dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC} ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} ssh ${REMOTE_HOST} iptables --flush diff --git a/examples/ipsec-secgw/test/linux_test4.sh b/examples/ipsec-secgw/test/linux_test4.sh deleted file mode 100644 index 85efc5d90..000000000 --- a/examples/ipsec-secgw/test/linux_test4.sh +++ /dev/null @@ -1,78 +0,0 @@ -#! /bin/bash - -# usage: /bin/bash linux_test4.sh -# for list of available modes please refer to run_test.sh. -# ipsec-secgw (IPv4 mode) functional test script. -# -# Note that for most of them you required appropriate crypto PMD/device -# to be avaialble. -# Also user has to setup properly the following environment variables: -# SGW_PATH - path to the ipsec-secgw binary to test -# REMOTE_HOST - ip/hostname of the DUT -# REMOTE_IFACE - iface name for the test-port on DUT -# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') -# Also user can optonally setup: -# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) -# CRYPTO_DEV - crypto device to be used ('-w ') -# if none specified appropriate vdevs will be created by the scrit -# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and -# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# -# The purpose of the script is to automate ipsec-secgw testing -# using another system running linux as a DUT. -# It expects that SUT and DUT are connected through at least 2 NICs. -# One NIC is expected to be managed by linux both machines, -# and will be used as a control path -# Make sure user from SUT can ssh to DUT without entering password. -# Second NIC (test-port) should be reserved for DPDK on SUT, -# and should be managed by linux on DUT. -# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. -# Then configures local tap iface and remote iface and ipsec policies -# in the following way: -# traffic going over test-port in both directions has to be -# protected by ipsec. -# raffic going over TAP in both directions doesn't have to be protected. -# I.E: -# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS -# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS -# Then tries to perorm some data transfer using the scheme decribed above. -# - -DIR=`dirname $0` -MODE=$1 - - . ${DIR}/common_defs.sh - . ${DIR}/${MODE}_defs.sh - -#make linux to generate fragmented packets -if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then - echo "multi-segment test is enabled" - SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}" - PING_LEN=5000 - MTU_LEN=1500 -else - PING_LEN=${DEF_PING_LEN} - MTU_LEN=${DEF_MTU_LEN} -fi - -config_secgw - -secgw_start - -config_iface - -config_remote_xfrm - - . ${DIR}/data_rxtx.sh - -set_local_mtu ${MTU_LEN} -ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} -st=$? -if [[ $st -eq 0 ]]; then - set_local_mtu ${DEF_MTU_LEN} - scp_test1 ${REMOTE_IPV4} - st=$? -fi - -secgw_stop -exit $st diff --git a/examples/ipsec-secgw/test/linux_test6.sh b/examples/ipsec-secgw/test/linux_test6.sh deleted file mode 100644 index c749dcef8..000000000 --- a/examples/ipsec-secgw/test/linux_test6.sh +++ /dev/null @@ -1,79 +0,0 @@ -#! /bin/bash - -# usage: /bin/bash linux_test6.sh -# for list of available modes please refer to run_test.sh. -# ipsec-secgw (IPv6 mode) functional test script. -# -# Note that for most of them you required appropriate crypto PMD/device -# to be avaialble. -# Also user has to setup properly the following environment variables: -# SGW_PATH - path to the ipsec-secgw binary to test -# REMOTE_HOST - ip/hostname of the DUT -# REMOTE_IFACE - iface name for the test-port on DUT -# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w ') -# Also user can optonally setup: -# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) -# CRYPTO_DEV - crypto device to be used ('-w ') -# if none specified appropriate vdevs will be created by the scrit -# MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and -# specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# -# The purpose of the script is to automate ipsec-secgw testing -# using another system running linux as a DUT. -# It expects that SUT and DUT are connected through at least 2 NICs. -# One NIC is expected to be managed by linux both machines, -# and will be used as a control path. -# Make sure user from SUT can ssh to DUT without entering password, -# also make sure that sshd over ipv6 is enabled. -# Second NIC (test-port) should be reserved for DPDK on SUT, -# and should be managed by linux on DUT. -# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. -# Then configures local tap iface and remote iface and ipsec policies -# in the following way: -# traffic going over test-port in both directions has to be -# protected by ipsec. -# raffic going over TAP in both directions doesn't have to be protected. -# I.E: -# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS -# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS -# Then tries to perorm some data transfer using the scheme decribed above. -# - -DIR=`dirname $0` -MODE=$1 - - . ${DIR}/common_defs.sh - . ${DIR}/${MODE}_defs.sh - -#make linux to generate fragmented packets -if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then - echo "multi-segment test is enabled" - SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}" - PING_LEN=5000 - MTU_LEN=1500 -else - PING_LEN=${DEF_PING_LEN} - MTU_LEN=${DEF_MTU_LEN} -fi - -config_secgw - -secgw_start - -config6_iface - -config6_remote_xfrm - - . ${DIR}/data_rxtx.sh - -set_local_mtu ${MTU_LEN} -ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} -st=$? -if [[ $st -eq 0 ]]; then - set_local_mtu ${DEF_MTU_LEN} - scp_test1 ${REMOTE_IPV6} - st=$? -fi - -secgw_stop -exit $st diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 8055a4c04..10821e678 100755 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -1,7 +1,7 @@ #! /bin/bash -# usage: /bin/bash run_test.sh [-46] -# Run all defined linux_test[4,6].sh test-cases one by one +# usage: /bin/bash run_test.sh [-46mp] +# Run all defined linux_test.sh test-cases one by one # user has to setup properly the following environment variables: # SGW_PATH - path to the ipsec-secgw binary to test # REMOTE_HOST - ip/hostname of the DUT @@ -13,7 +13,7 @@ # if none specified appropriate vdevs will be created by the scrit # MULTI_SEG_TEST - ipsec-secgw option to enable reassembly support and # specify size of reassembly table (i.e. MULTI_SEG_TEST="--reassemble 128") -# refer to linux_test[4,6].sh for more information +# refer to linux_test.sh for more information # All supported modes to test. @@ -24,9 +24,11 @@ usage() { echo "Usage:" - echo -e "\t$0 -[46p]" + echo -e "\t$0 -[46mp]" echo -e "\t\t-4 Perform Linux IPv4 network tests" echo -e "\t\t-6 Perform Linux IPv6 network tests" + echo -e "\t\t-m Add mixed IP protocol tests to IPv4/IPv6 \ +(only with option [-46])" echo -e "\t\t-p Perform packet validation tests" echo -e "\t\t-h Display this help" } @@ -73,7 +75,8 @@ DIR=$(dirname $0) run4=0 run6=0 runpkt=0 -while getopts ":46ph" opt +mixed=0 +while getopts ":46mph" opt do case $opt in 4) @@ -82,6 +85,9 @@ do 6) run6=1 ;; + m) + mixed=1 + ;; p) runpkt=1 ;; @@ -124,20 +130,36 @@ if [[ ${run4} -eq 1 || ${run6} -eq 1 ]]; then echo "starting test ${i}" st4=0 + st4m=0 if [[ ${run4} -ne 0 ]]; then - /bin/bash ${DIR}/linux_test4.sh ${i} + /bin/bash ${DIR}/linux_test.sh ipv4-ipv4 ${i} st4=$? - echo "test4 ${i} finished with status ${st4}" + echo "test IPv4 ${i} finished with status ${st4}" + + if [[ ${mixed} -ne 0 ]] && [[ ${i} = "tun"* ]]; then + /bin/bash ${DIR}/linux_test.sh ipv4-ipv6 ${i} + st4m=$? + echo "test IPv4-IPv6 ${i} finished with \ +status ${st4m}" + fi fi st6=0 + st6m=0 if [[ ${run6} -ne 0 ]]; then - /bin/bash ${DIR}/linux_test6.sh ${i} + /bin/bash ${DIR}/linux_test.sh ipv6-ipv6 ${i} st6=$? - echo "test6 ${i} finished with status ${st6}" + echo "test IPv6 ${i} finished with status ${st6}" + + if [[ ${mixed} -ne 0 ]] && [[ ${i} = "tun"* ]]; then + /bin/bash ${DIR}/linux_test.sh ipv6-ipv4 ${i} + st6m=$? + echo "test IPv6-IPv4 ${i} finished with \ +status ${st6m}" + fi fi - let "st = st4 + st6" + let "st = st4 + st6 + st4m + st6m" if [[ $st -ne 0 ]]; then echo "ERROR test ${i} FAILED" exit $st diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh index 31f94492f..b124d7888 100644 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh index e4283f3dd..255acbb32 100644 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh index d68552fce..55f696cbc 100644 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh index ce7c977a3..851b38d59 100644 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh index 73642f881..50f778ae5 100644 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh index e401a4bed..88e2eed08 100644 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh index 8382d3d52..c47578a38 100644 --- a/examples/ipsec-secgw/test/trs_aesgcm_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesgcm_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh index 94958d199..182f05a34 100644 --- a/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -35,9 +35,10 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_66() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh index dd802d6be..704c0c57f 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -70,3 +70,71 @@ EOF cat ${SGW_CFG_FILE} } + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh index 2bbe14292..3df050c00 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh index 98349c7bc..349969ceb 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh index 4025da232..65150e389 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -66,3 +66,67 @@ EOF cat ${SGW_CFG_FILE} } + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh index 18aade3a9..aa1e6a4c4 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh index 28c1125d6..dda8a082a 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh index a3ac3a698..13db66b6f 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -66,3 +66,67 @@ EOF cat ${SGW_CFG_FILE} } + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh index 3710f897c..5712ee9bd 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh index c3ce11da1..5fbe2cfe3 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh index 278377967..f39a8e4bc 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -58,3 +58,59 @@ EOF cat ${SGW_CFG_FILE} } + +config_secgw_mixed() +{ + cat < ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} + +sa in 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} + +#SA out rules +sa out 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} + +sa out 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh index 8ae65321b..6fb8aa6b3 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ diff --git a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh index 606232349..84a666342 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh @@ -4,7 +4,7 @@ SGW_CMD_XPRM='-e -w 300' -config_remote_xfrm() +config_remote_xfrm_44() { ssh ${REMOTE_HOST} ip xfrm policy flush ssh ${REMOTE_HOST} ip xfrm state flush @@ -37,9 +37,80 @@ aead "rfc4106\(gcm\(aes\)\)" \ ssh ${REMOTE_HOST} ip xfrm state list } -config6_remote_xfrm() +config_remote_xfrm_46() { - config_remote_xfrm + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 flag esn \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush ssh ${REMOTE_HOST} ip xfrm policy add \ src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \