tests/ovs-monitor-ipsec.at

   1 AT_BANNER([ovs-monitor-ipsec])
   2
   3 AT_SETUP([ovs-monitor-ipsec])
   4 AT_SKIP_IF([test $HAVE_PYTHON = no])
   5 AT_SKIP_IF([$non_ascii_cwd])
   6
   7 trim () {  # Removes blank lines and lines starting with # from input.
   8     sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
   9 }
  10
  11 OVS_VSWITCHD_START([])
  12 OVS_MONITOR_IPSEC_START
  13
  14 ###
  15 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
  16 ###
  17 AT_CHECK([ovs-vsctl \
  18               -- add-port br0 gre0 \
  19               -- set interface gre0 type=ipsec_gre \
  20                                     options:remote_ip=1.2.3.4 \
  21                                     options:psk=swordfish])
  22 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
  23 AT_CHECK([cat actions], [0], [dnl
  24 setkey:
  25 > flush;
  26 setkey:
  27 > spdflush;
  28 racoon: reload
  29 racoon: reload
  30 setkey:
  31 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
  32 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
  33 ])
  34 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
  35 ])
  36 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
  37 path pre_shared_key "/etc/racoon/psk.txt";
  38 path certificate "/etc/racoon/certs";
  39 remote 1.2.3.4 {
  40         exchange_mode main;
  41         nat_traversal on;
  42         proposal {
  43                 encryption_algorithm aes;
  44                 hash_algorithm sha1;
  45                 authentication_method pre_shared_key;
  46                 dh_group 2;
  47         }
  48 }
  49 sainfo anonymous {
  50         pfs_group 2;
  51         lifetime time 1 hour;
  52         encryption_algorithm aes;
  53         authentication_algorithm hmac_sha1, hmac_md5;
  54         compression_algorithm deflate;
  55 }
  56 ])
  57
  58 ###
  59 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
  60 ###
  61 AT_CHECK([ovs-vsctl del-port gre0])
  62 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
  63 AT_CHECK([sed '1,9d' actions], [0], [dnl
  64 racoon: reload
  65 setkey:
  66 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
  67 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
  68 setkey:
  69 > dump ;
  70 setkey:
  71 > dump ;
  72 ])
  73 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
  74 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
  75 path pre_shared_key "/etc/racoon/psk.txt";
  76 path certificate "/etc/racoon/certs";
  77 sainfo anonymous {
  78         pfs_group 2;
  79         lifetime time 1 hour;
  80         encryption_algorithm aes;
  81         authentication_algorithm hmac_sha1, hmac_md5;
  82         compression_algorithm deflate;
  83 }
  84 ])
  85
  86 ###
  87 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
  88 ###
  89 AT_DATA([cert.pem], [dnl
  90 -----BEGIN CERTIFICATE-----
  91 (not a real certificate)
  92 -----END CERTIFICATE-----
  93 ])
  94 AT_DATA([key.pem], [dnl
  95 -----BEGIN RSA PRIVATE KEY-----
  96 (not a real private key)
  97 -----END RSA PRIVATE KEY-----
  98 ])
  99 AT_CHECK([ovs-vsctl \
 100               -- add-port br0 gre1 \
 101               -- set Interface gre1 type=ipsec_gre \
 102                  options:remote_ip=2.3.4.5 \
 103                  options:peer_cert='"-----BEGIN CERTIFICATE-----
 104 (not a real peer certificate)
 105 -----END CERTIFICATE-----
 106 "' \
 107                  options:certificate='"/cert.pem"' \
 108                  options:private_key='"/key.pem"'])
 109 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
 110 AT_CHECK([sed '1,17d' actions], [0], [dnl
 111 racoon: reload
 112 setkey:
 113 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
 114 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
 115 ])
 116 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
 117 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
 118 path pre_shared_key "/etc/racoon/psk.txt";
 119 path certificate "/etc/racoon/certs";
 120 remote 2.3.4.5 {
 121         exchange_mode main;
 122         nat_traversal on;
 123         ike_frag on;
 124         certificate_type x509 "/cert.pem" "/key.pem";
 125         my_identifier asn1dn;
 126         peers_identifier asn1dn;
 127         peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
 128         verify_identifier on;
 129         proposal {
 130                 encryption_algorithm aes;
 131                 hash_algorithm sha1;
 132                 authentication_method rsasig;
 133                 dh_group 2;
 134         }
 135 }
 136 sainfo anonymous {
 137         pfs_group 2;
 138         lifetime time 1 hour;
 139         encryption_algorithm aes;
 140         authentication_algorithm hmac_sha1, hmac_md5;
 141         compression_algorithm deflate;
 142 }
 143 ])
 144 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
 145 -----BEGIN CERTIFICATE-----
 146 (not a real peer certificate)
 147 -----END CERTIFICATE-----
 148 ])
 149
 150 ###
 151 ### Delete the ipsec_gre certificate interface.
 152 ###
 153 AT_CHECK([ovs-vsctl del-port gre1])
 154 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
 155 AT_CHECK([sed '1,21d' actions], [0], [dnl
 156 racoon: reload
 157 setkey:
 158 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
 159 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
 160 setkey:
 161 > dump ;
 162 setkey:
 163 > dump ;
 164 ])
 165 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
 166 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
 167 path pre_shared_key "/etc/racoon/psk.txt";
 168 path certificate "/etc/racoon/certs";
 169 sainfo anonymous {
 170         pfs_group 2;
 171         lifetime time 1 hour;
 172         encryption_algorithm aes;
 173         authentication_algorithm hmac_sha1, hmac_md5;
 174         compression_algorithm deflate;
 175 }
 176 ])
 177 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
 178
 179 ###
 180 ### Add an SSL certificate interface.
 181 ###
 182 cp cert.pem ssl-cert.pem
 183 cp key.pem ssl-key.pem
 184 AT_DATA([ssl-cacert.pem], [dnl
 185 -----BEGIN CERTIFICATE-----
 186 (not a real CA certificate)
 187 -----END CERTIFICATE-----
 188 ])
 189 AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
 190               -- add-port br0 gre2 \
 191               -- set Interface gre2 type=ipsec_gre \
 192                  options:remote_ip=3.4.5.6 \
 193                  options:peer_cert='"-----BEGIN CERTIFICATE-----
 194 (not a real peer certificate)
 195 -----END CERTIFICATE-----
 196 "' \
 197                  options:use_ssl_cert='"true"'])
 198 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
 199 AT_CHECK([sed '1,29d' actions], [0], [dnl
 200 racoon: reload
 201 setkey:
 202 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
 203 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
 204 ])
 205 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
 206 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
 207 path pre_shared_key "/etc/racoon/psk.txt";
 208 path certificate "/etc/racoon/certs";
 209 remote 3.4.5.6 {
 210         exchange_mode main;
 211         nat_traversal on;
 212         ike_frag on;
 213         certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
 214         my_identifier asn1dn;
 215         peers_identifier asn1dn;
 216         peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
 217         verify_identifier on;
 218         proposal {
 219                 encryption_algorithm aes;
 220                 hash_algorithm sha1;
 221                 authentication_method rsasig;
 222                 dh_group 2;
 223         }
 224 }
 225 sainfo anonymous {
 226         pfs_group 2;
 227         lifetime time 1 hour;
 228         encryption_algorithm aes;
 229         authentication_algorithm hmac_sha1, hmac_md5;
 230         compression_algorithm deflate;
 231 }
 232 ])
 233 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
 234 -----BEGIN CERTIFICATE-----
 235 (not a real peer certificate)
 236 -----END CERTIFICATE-----
 237 ])
 238
 239 ###
 240 ### Delete the SSL certificate interface.
 241 ###
 242 AT_CHECK([ovs-vsctl del-port gre2])
 243 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
 244 AT_CHECK([sed '1,33d' actions], [0], [dnl
 245 racoon: reload
 246 setkey:
 247 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
 248 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
 249 setkey:
 250 > dump ;
 251 setkey:
 252 > dump ;
 253 ])
 254 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
 255 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
 256 path pre_shared_key "/etc/racoon/psk.txt";
 257 path certificate "/etc/racoon/certs";
 258 sainfo anonymous {
 259         pfs_group 2;
 260         lifetime time 1 hour;
 261         encryption_algorithm aes;
 262         authentication_algorithm hmac_sha1, hmac_md5;
 263         compression_algorithm deflate;
 264 }
 265 ])
 266 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
 267
 268 dnl Skip SSL errors reported by Open vSwitch
 269 OVS_VSWITCHD_STOP(["/stream_ssl/d"])
 270 AT_CLEANUP