1 AT_BANNER([ovs-monitor-ipsec])
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5 AT_SKIP_IF([$non_ascii_cwd])
7 trim () { # Removes blank lines and lines starting with # from input.
8 sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
11 OVS_VSWITCHD_START([])
12 OVS_MONITOR_IPSEC_START
15 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
18 -- add-port br0 gre0 \
19 -- set interface gre0 type=ipsec_gre \
20 options:remote_ip=1.2.3.4 \
21 options:psk=swordfish])
22 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
23 AT_CHECK([cat actions], [0], [dnl
31 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
32 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
34 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
36 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
37 path pre_shared_key "/etc/racoon/psk.txt";
38 path certificate "/etc/racoon/certs";
43 encryption_algorithm aes;
45 authentication_method pre_shared_key;
52 encryption_algorithm aes;
53 authentication_algorithm hmac_sha1, hmac_md5;
54 compression_algorithm deflate;
59 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
61 AT_CHECK([ovs-vsctl del-port gre0])
62 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
63 AT_CHECK([sed '1,9d' actions], [0], [dnl
66 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
67 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
73 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
74 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
75 path pre_shared_key "/etc/racoon/psk.txt";
76 path certificate "/etc/racoon/certs";
80 encryption_algorithm aes;
81 authentication_algorithm hmac_sha1, hmac_md5;
82 compression_algorithm deflate;
87 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
89 AT_DATA([cert.pem], [dnl
90 -----BEGIN CERTIFICATE-----
91 (not a real certificate)
92 -----END CERTIFICATE-----
94 AT_DATA([key.pem], [dnl
95 -----BEGIN RSA PRIVATE KEY-----
96 (not a real private key)
97 -----END RSA PRIVATE KEY-----
100 -- add-port br0 gre1 \
101 -- set Interface gre1 type=ipsec_gre \
102 options:remote_ip=2.3.4.5 \
103 options:peer_cert='"-----BEGIN CERTIFICATE-----
104 (not a real peer certificate)
105 -----END CERTIFICATE-----
107 options:certificate='"/cert.pem"' \
108 options:private_key='"/key.pem"'])
109 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
110 AT_CHECK([sed '1,17d' actions], [0], [dnl
113 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
114 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
116 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118 path pre_shared_key "/etc/racoon/psk.txt";
119 path certificate "/etc/racoon/certs";
124 certificate_type x509 "/cert.pem" "/key.pem";
125 my_identifier asn1dn;
126 peers_identifier asn1dn;
127 peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
128 verify_identifier on;
130 encryption_algorithm aes;
132 authentication_method rsasig;
138 lifetime time 1 hour;
139 encryption_algorithm aes;
140 authentication_algorithm hmac_sha1, hmac_md5;
141 compression_algorithm deflate;
144 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
145 -----BEGIN CERTIFICATE-----
146 (not a real peer certificate)
147 -----END CERTIFICATE-----
151 ### Delete the ipsec_gre certificate interface.
153 AT_CHECK([ovs-vsctl del-port gre1])
154 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
155 AT_CHECK([sed '1,21d' actions], [0], [dnl
158 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
159 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
165 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
166 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
167 path pre_shared_key "/etc/racoon/psk.txt";
168 path certificate "/etc/racoon/certs";
171 lifetime time 1 hour;
172 encryption_algorithm aes;
173 authentication_algorithm hmac_sha1, hmac_md5;
174 compression_algorithm deflate;
177 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
180 ### Add an SSL certificate interface.
182 cp cert.pem ssl-cert.pem
183 cp key.pem ssl-key.pem
184 AT_DATA([ssl-cacert.pem], [dnl
185 -----BEGIN CERTIFICATE-----
186 (not a real CA certificate)
187 -----END CERTIFICATE-----
189 AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
190 -- add-port br0 gre2 \
191 -- set Interface gre2 type=ipsec_gre \
192 options:remote_ip=3.4.5.6 \
193 options:peer_cert='"-----BEGIN CERTIFICATE-----
194 (not a real peer certificate)
195 -----END CERTIFICATE-----
197 options:use_ssl_cert='"true"'])
198 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
199 AT_CHECK([sed '1,29d' actions], [0], [dnl
202 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
203 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
205 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
206 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
207 path pre_shared_key "/etc/racoon/psk.txt";
208 path certificate "/etc/racoon/certs";
213 certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
214 my_identifier asn1dn;
215 peers_identifier asn1dn;
216 peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
217 verify_identifier on;
219 encryption_algorithm aes;
221 authentication_method rsasig;
227 lifetime time 1 hour;
228 encryption_algorithm aes;
229 authentication_algorithm hmac_sha1, hmac_md5;
230 compression_algorithm deflate;
233 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
234 -----BEGIN CERTIFICATE-----
235 (not a real peer certificate)
236 -----END CERTIFICATE-----
240 ### Delete the SSL certificate interface.
242 AT_CHECK([ovs-vsctl del-port gre2])
243 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
244 AT_CHECK([sed '1,33d' actions], [0], [dnl
247 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
248 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
254 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
255 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
256 path pre_shared_key "/etc/racoon/psk.txt";
257 path certificate "/etc/racoon/certs";
260 lifetime time 1 hour;
261 encryption_algorithm aes;
262 authentication_algorithm hmac_sha1, hmac_md5;
263 compression_algorithm deflate;
266 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
268 dnl Skip SSL errors reported by Open vSwitch
269 OVS_VSWITCHD_STOP(["/stream_ssl/d"])