]>
Commit | Line | Data |
---|---|---|
b54bdbe9 BP |
1 | AT_BANNER([ovs-monitor-ipsec]) |
2 | ||
3 | AT_SETUP([ovs-monitor-ipsec]) | |
4 | AT_SKIP_IF([test $HAVE_PYTHON = no]) | |
e6e590a7 | 5 | AT_SKIP_IF([$non_ascii_cwd]) |
b54bdbe9 | 6 | |
bb474bb3 | 7 | OVS_RUNDIR=`pwd`; export OVS_RUNDIR |
f973f2af | 8 | OVS_DBDIR=`pwd`; export OVS_DBDIR |
b54bdbe9 BP |
9 | OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR |
10 | cp "$top_srcdir/vswitchd/vswitch.ovsschema" . | |
11 | ||
0b7140bb | 12 | ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`]) |
b54bdbe9 BP |
13 | |
14 | mkdir etc etc/init.d etc/racoon etc/racoon/certs | |
15 | mkdir usr usr/sbin | |
16 | ||
17 | AT_DATA([etc/init.d/racoon], [dnl | |
18 | #! /bin/sh | |
19 | echo "racoon: $@" >&3 | |
20 | exit 0 | |
21 | ]) | |
22 | chmod +x etc/init.d/racoon | |
23 | ||
24 | AT_DATA([usr/sbin/setkey], [dnl | |
25 | #! /bin/sh | |
26 | exec >&3 | |
27 | echo "setkey:" | |
28 | while read line; do | |
29 | echo "> $line" | |
30 | done | |
31 | ]) | |
32 | chmod +x usr/sbin/setkey | |
33 | ||
34 | touch etc/racoon/certs/ovs-stale.pem | |
35 | ||
36 | ovs_vsctl () { | |
fba6bd1d | 37 | ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@" |
b54bdbe9 BP |
38 | } |
39 | trim () { # Removes blank lines and lines starting with # from input. | |
40 | sed -e '/^#/d' -e '/^[ ]*$/d' "$@" | |
41 | } | |
42 | ||
43 | ### | |
44 | ### Start ovsdb-server. | |
45 | ### | |
46 | OVS_VSCTL_SETUP | |
47 | ||
48 | ### | |
49 | ### Start ovs-monitor-ipsec and wait for it to delete the stale cert. | |
50 | ### | |
51 | AT_CHECK( | |
52 | [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ | |
b153e667 | 53 | "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ |
b54bdbe9 BP |
54 | unix:socket 2>log 3>actions &]) |
55 | AT_CAPTURE_FILE([log]) | |
56 | AT_CAPTURE_FILE([actions]) | |
57 | OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) | |
58 | ||
59 | ### | |
60 | ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does | |
61 | ### | |
62 | AT_CHECK([ovs_vsctl \ | |
63 | -- add-br br0 \ | |
64 | -- add-port br0 gre0 \ | |
65 | -- set interface gre0 type=ipsec_gre \ | |
66 | options:remote_ip=1.2.3.4 \ | |
67 | options:psk=swordfish]) | |
68 | OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null]) | |
69 | AT_CHECK([cat actions], [0], [dnl | |
70 | setkey: | |
71 | > flush; | |
72 | setkey: | |
73 | > spdflush; | |
74 | racoon: reload | |
75 | racoon: reload | |
76 | setkey: | |
77 | > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; | |
78 | > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
79 | ]) | |
80 | AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish | |
81 | ]) | |
82 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
83 | path pre_shared_key "/etc/racoon/psk.txt"; | |
84 | path certificate "/etc/racoon/certs"; | |
85 | remote 1.2.3.4 { | |
86 | exchange_mode main; | |
87 | nat_traversal on; | |
88 | proposal { | |
89 | encryption_algorithm aes; | |
90 | hash_algorithm sha1; | |
91 | authentication_method pre_shared_key; | |
92 | dh_group 2; | |
93 | } | |
94 | } | |
95 | sainfo anonymous { | |
96 | pfs_group 2; | |
97 | lifetime time 1 hour; | |
98 | encryption_algorithm aes; | |
99 | authentication_algorithm hmac_sha1, hmac_md5; | |
100 | compression_algorithm deflate; | |
101 | } | |
102 | ]) | |
103 | ||
104 | ### | |
105 | ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does | |
106 | ### | |
107 | AT_CHECK([ovs_vsctl del-port gre0]) | |
108 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) | |
109 | AT_CHECK([sed '1,9d' actions], [0], [dnl | |
110 | racoon: reload | |
111 | setkey: | |
112 | > spddelete 0.0.0.0/0 1.2.3.4 gre -P out; | |
113 | > spddelete 1.2.3.4 0.0.0.0/0 gre -P in; | |
114 | setkey: | |
115 | > dump ; | |
116 | setkey: | |
117 | > dump ; | |
118 | ]) | |
119 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
120 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
121 | path pre_shared_key "/etc/racoon/psk.txt"; | |
122 | path certificate "/etc/racoon/certs"; | |
123 | sainfo anonymous { | |
124 | pfs_group 2; | |
125 | lifetime time 1 hour; | |
126 | encryption_algorithm aes; | |
127 | authentication_algorithm hmac_sha1, hmac_md5; | |
128 | compression_algorithm deflate; | |
129 | } | |
130 | ]) | |
131 | ||
132 | ### | |
133 | ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does | |
134 | ### | |
135 | AT_DATA([cert.pem], [dnl | |
136 | -----BEGIN CERTIFICATE----- | |
137 | (not a real certificate) | |
138 | -----END CERTIFICATE----- | |
139 | ]) | |
140 | AT_DATA([key.pem], [dnl | |
141 | -----BEGIN RSA PRIVATE KEY----- | |
142 | (not a real private key) | |
143 | -----END RSA PRIVATE KEY----- | |
144 | ]) | |
145 | AT_CHECK([ovs_vsctl \ | |
146 | -- add-port br0 gre1 \ | |
147 | -- set Interface gre1 type=ipsec_gre \ | |
148 | options:remote_ip=2.3.4.5 \ | |
149 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
150 | (not a real peer certificate) | |
151 | -----END CERTIFICATE----- | |
152 | "' \ | |
153 | options:certificate='"/cert.pem"' \ | |
154 | options:private_key='"/key.pem"']) | |
155 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) | |
156 | AT_CHECK([sed '1,17d' actions], [0], [dnl | |
157 | racoon: reload | |
158 | setkey: | |
159 | > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; | |
160 | > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
161 | ]) | |
162 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
163 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
164 | path pre_shared_key "/etc/racoon/psk.txt"; | |
165 | path certificate "/etc/racoon/certs"; | |
166 | remote 2.3.4.5 { | |
167 | exchange_mode main; | |
168 | nat_traversal on; | |
169 | ike_frag on; | |
170 | certificate_type x509 "/cert.pem" "/key.pem"; | |
171 | my_identifier asn1dn; | |
172 | peers_identifier asn1dn; | |
173 | peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; | |
174 | verify_identifier on; | |
175 | proposal { | |
176 | encryption_algorithm aes; | |
177 | hash_algorithm sha1; | |
178 | authentication_method rsasig; | |
179 | dh_group 2; | |
180 | } | |
181 | } | |
182 | sainfo anonymous { | |
183 | pfs_group 2; | |
184 | lifetime time 1 hour; | |
185 | encryption_algorithm aes; | |
186 | authentication_algorithm hmac_sha1, hmac_md5; | |
187 | compression_algorithm deflate; | |
188 | } | |
189 | ]) | |
190 | AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl | |
191 | -----BEGIN CERTIFICATE----- | |
192 | (not a real peer certificate) | |
193 | -----END CERTIFICATE----- | |
194 | ]) | |
195 | ||
196 | ### | |
197 | ### Delete the ipsec_gre certificate interface. | |
198 | ### | |
199 | AT_CHECK([ovs_vsctl del-port gre1]) | |
200 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) | |
201 | AT_CHECK([sed '1,21d' actions], [0], [dnl | |
202 | racoon: reload | |
203 | setkey: | |
204 | > spddelete 0.0.0.0/0 2.3.4.5 gre -P out; | |
205 | > spddelete 2.3.4.5 0.0.0.0/0 gre -P in; | |
206 | setkey: | |
207 | > dump ; | |
208 | setkey: | |
209 | > dump ; | |
210 | ]) | |
211 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
212 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
213 | path pre_shared_key "/etc/racoon/psk.txt"; | |
214 | path certificate "/etc/racoon/certs"; | |
215 | sainfo anonymous { | |
216 | pfs_group 2; | |
217 | lifetime time 1 hour; | |
218 | encryption_algorithm aes; | |
219 | authentication_algorithm hmac_sha1, hmac_md5; | |
220 | compression_algorithm deflate; | |
221 | } | |
222 | ]) | |
223 | AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) | |
224 | ||
ad6247f5 BP |
225 | ### |
226 | ### Add an SSL certificate interface. | |
227 | ### | |
228 | cp cert.pem ssl-cert.pem | |
229 | cp key.pem ssl-key.pem | |
230 | AT_DATA([ssl-cacert.pem], [dnl | |
231 | -----BEGIN CERTIFICATE----- | |
232 | (not a real CA certificate) | |
233 | -----END CERTIFICATE----- | |
234 | ]) | |
235 | AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ | |
236 | -- add-port br0 gre2 \ | |
237 | -- set Interface gre2 type=ipsec_gre \ | |
238 | options:remote_ip=3.4.5.6 \ | |
239 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
240 | (not a real peer certificate) | |
241 | -----END CERTIFICATE----- | |
242 | "' \ | |
243 | options:use_ssl_cert='"true"']) | |
dfbf7f35 | 244 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) |
ad6247f5 BP |
245 | AT_CHECK([sed '1,29d' actions], [0], [dnl |
246 | racoon: reload | |
247 | setkey: | |
248 | > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; | |
249 | > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
250 | ]) | |
251 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
252 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
253 | path pre_shared_key "/etc/racoon/psk.txt"; | |
254 | path certificate "/etc/racoon/certs"; | |
255 | remote 3.4.5.6 { | |
256 | exchange_mode main; | |
257 | nat_traversal on; | |
258 | ike_frag on; | |
259 | certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; | |
260 | my_identifier asn1dn; | |
261 | peers_identifier asn1dn; | |
262 | peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; | |
263 | verify_identifier on; | |
264 | proposal { | |
265 | encryption_algorithm aes; | |
266 | hash_algorithm sha1; | |
267 | authentication_method rsasig; | |
268 | dh_group 2; | |
269 | } | |
270 | } | |
271 | sainfo anonymous { | |
272 | pfs_group 2; | |
273 | lifetime time 1 hour; | |
274 | encryption_algorithm aes; | |
275 | authentication_algorithm hmac_sha1, hmac_md5; | |
276 | compression_algorithm deflate; | |
277 | } | |
278 | ]) | |
279 | AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl | |
280 | -----BEGIN CERTIFICATE----- | |
281 | (not a real peer certificate) | |
282 | -----END CERTIFICATE----- | |
283 | ]) | |
284 | ||
285 | ### | |
286 | ### Delete the SSL certificate interface. | |
287 | ### | |
288 | AT_CHECK([ovs_vsctl del-port gre2]) | |
dfbf7f35 | 289 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) |
ad6247f5 BP |
290 | AT_CHECK([sed '1,33d' actions], [0], [dnl |
291 | racoon: reload | |
292 | setkey: | |
293 | > spddelete 0.0.0.0/0 3.4.5.6 gre -P out; | |
294 | > spddelete 3.4.5.6 0.0.0.0/0 gre -P in; | |
295 | setkey: | |
296 | > dump ; | |
297 | setkey: | |
298 | > dump ; | |
299 | ]) | |
300 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
301 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
302 | path pre_shared_key "/etc/racoon/psk.txt"; | |
303 | path certificate "/etc/racoon/certs"; | |
304 | sainfo anonymous { | |
305 | pfs_group 2; | |
306 | lifetime time 1 hour; | |
307 | encryption_algorithm aes; | |
308 | authentication_algorithm hmac_sha1, hmac_md5; | |
309 | compression_algorithm deflate; | |
310 | } | |
311 | ]) | |
312 | AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) | |
313 | ||
94c33672 BP |
314 | OVSDB_SERVER_SHUTDOWN |
315 | ||
b54bdbe9 | 316 | AT_CLEANUP |