]>
Commit | Line | Data |
---|---|---|
b54bdbe9 BP |
1 | AT_BANNER([ovs-monitor-ipsec]) |
2 | ||
3 | AT_SETUP([ovs-monitor-ipsec]) | |
4 | AT_SKIP_IF([test $HAVE_PYTHON = no]) | |
e6e590a7 | 5 | AT_SKIP_IF([$non_ascii_cwd]) |
b54bdbe9 | 6 | |
b54bdbe9 BP |
7 | cp "$top_srcdir/vswitchd/vswitch.ovsschema" . |
8 | ||
53eb8cb8 | 9 | on_exit 'kill `cat pid ovs-monitor-ipsec.pid`' |
b54bdbe9 BP |
10 | |
11 | mkdir etc etc/init.d etc/racoon etc/racoon/certs | |
12 | mkdir usr usr/sbin | |
13 | ||
14 | AT_DATA([etc/init.d/racoon], [dnl | |
15 | #! /bin/sh | |
16 | echo "racoon: $@" >&3 | |
17 | exit 0 | |
18 | ]) | |
19 | chmod +x etc/init.d/racoon | |
20 | ||
21 | AT_DATA([usr/sbin/setkey], [dnl | |
22 | #! /bin/sh | |
23 | exec >&3 | |
24 | echo "setkey:" | |
25 | while read line; do | |
26 | echo "> $line" | |
27 | done | |
28 | ]) | |
29 | chmod +x usr/sbin/setkey | |
30 | ||
31 | touch etc/racoon/certs/ovs-stale.pem | |
32 | ||
33 | ovs_vsctl () { | |
fba6bd1d | 34 | ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@" |
b54bdbe9 BP |
35 | } |
36 | trim () { # Removes blank lines and lines starting with # from input. | |
37 | sed -e '/^#/d' -e '/^[ ]*$/d' "$@" | |
38 | } | |
39 | ||
40 | ### | |
41 | ### Start ovsdb-server. | |
42 | ### | |
43 | OVS_VSCTL_SETUP | |
44 | ||
45 | ### | |
46 | ### Start ovs-monitor-ipsec and wait for it to delete the stale cert. | |
47 | ### | |
48 | AT_CHECK( | |
49 | [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ | |
b153e667 | 50 | "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ |
b54bdbe9 BP |
51 | unix:socket 2>log 3>actions &]) |
52 | AT_CAPTURE_FILE([log]) | |
53 | AT_CAPTURE_FILE([actions]) | |
54 | OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) | |
55 | ||
56 | ### | |
57 | ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does | |
58 | ### | |
59 | AT_CHECK([ovs_vsctl \ | |
60 | -- add-br br0 \ | |
61 | -- add-port br0 gre0 \ | |
62 | -- set interface gre0 type=ipsec_gre \ | |
63 | options:remote_ip=1.2.3.4 \ | |
64 | options:psk=swordfish]) | |
65 | OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null]) | |
66 | AT_CHECK([cat actions], [0], [dnl | |
67 | setkey: | |
68 | > flush; | |
69 | setkey: | |
70 | > spdflush; | |
71 | racoon: reload | |
72 | racoon: reload | |
73 | setkey: | |
74 | > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; | |
75 | > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
76 | ]) | |
77 | AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish | |
78 | ]) | |
79 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
80 | path pre_shared_key "/etc/racoon/psk.txt"; | |
81 | path certificate "/etc/racoon/certs"; | |
82 | remote 1.2.3.4 { | |
83 | exchange_mode main; | |
84 | nat_traversal on; | |
85 | proposal { | |
86 | encryption_algorithm aes; | |
87 | hash_algorithm sha1; | |
88 | authentication_method pre_shared_key; | |
89 | dh_group 2; | |
90 | } | |
91 | } | |
92 | sainfo anonymous { | |
93 | pfs_group 2; | |
94 | lifetime time 1 hour; | |
95 | encryption_algorithm aes; | |
96 | authentication_algorithm hmac_sha1, hmac_md5; | |
97 | compression_algorithm deflate; | |
98 | } | |
99 | ]) | |
100 | ||
101 | ### | |
102 | ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does | |
103 | ### | |
104 | AT_CHECK([ovs_vsctl del-port gre0]) | |
105 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) | |
106 | AT_CHECK([sed '1,9d' actions], [0], [dnl | |
107 | racoon: reload | |
108 | setkey: | |
109 | > spddelete 0.0.0.0/0 1.2.3.4 gre -P out; | |
110 | > spddelete 1.2.3.4 0.0.0.0/0 gre -P in; | |
111 | setkey: | |
112 | > dump ; | |
113 | setkey: | |
114 | > dump ; | |
115 | ]) | |
116 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
117 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
118 | path pre_shared_key "/etc/racoon/psk.txt"; | |
119 | path certificate "/etc/racoon/certs"; | |
120 | sainfo anonymous { | |
121 | pfs_group 2; | |
122 | lifetime time 1 hour; | |
123 | encryption_algorithm aes; | |
124 | authentication_algorithm hmac_sha1, hmac_md5; | |
125 | compression_algorithm deflate; | |
126 | } | |
127 | ]) | |
128 | ||
129 | ### | |
130 | ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does | |
131 | ### | |
132 | AT_DATA([cert.pem], [dnl | |
133 | -----BEGIN CERTIFICATE----- | |
134 | (not a real certificate) | |
135 | -----END CERTIFICATE----- | |
136 | ]) | |
137 | AT_DATA([key.pem], [dnl | |
138 | -----BEGIN RSA PRIVATE KEY----- | |
139 | (not a real private key) | |
140 | -----END RSA PRIVATE KEY----- | |
141 | ]) | |
142 | AT_CHECK([ovs_vsctl \ | |
143 | -- add-port br0 gre1 \ | |
144 | -- set Interface gre1 type=ipsec_gre \ | |
145 | options:remote_ip=2.3.4.5 \ | |
146 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
147 | (not a real peer certificate) | |
148 | -----END CERTIFICATE----- | |
149 | "' \ | |
150 | options:certificate='"/cert.pem"' \ | |
151 | options:private_key='"/key.pem"']) | |
152 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) | |
153 | AT_CHECK([sed '1,17d' actions], [0], [dnl | |
154 | racoon: reload | |
155 | setkey: | |
156 | > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; | |
157 | > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
158 | ]) | |
159 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
160 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
161 | path pre_shared_key "/etc/racoon/psk.txt"; | |
162 | path certificate "/etc/racoon/certs"; | |
163 | remote 2.3.4.5 { | |
164 | exchange_mode main; | |
165 | nat_traversal on; | |
166 | ike_frag on; | |
167 | certificate_type x509 "/cert.pem" "/key.pem"; | |
168 | my_identifier asn1dn; | |
169 | peers_identifier asn1dn; | |
170 | peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; | |
171 | verify_identifier on; | |
172 | proposal { | |
173 | encryption_algorithm aes; | |
174 | hash_algorithm sha1; | |
175 | authentication_method rsasig; | |
176 | dh_group 2; | |
177 | } | |
178 | } | |
179 | sainfo anonymous { | |
180 | pfs_group 2; | |
181 | lifetime time 1 hour; | |
182 | encryption_algorithm aes; | |
183 | authentication_algorithm hmac_sha1, hmac_md5; | |
184 | compression_algorithm deflate; | |
185 | } | |
186 | ]) | |
187 | AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl | |
188 | -----BEGIN CERTIFICATE----- | |
189 | (not a real peer certificate) | |
190 | -----END CERTIFICATE----- | |
191 | ]) | |
192 | ||
193 | ### | |
194 | ### Delete the ipsec_gre certificate interface. | |
195 | ### | |
196 | AT_CHECK([ovs_vsctl del-port gre1]) | |
197 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) | |
198 | AT_CHECK([sed '1,21d' actions], [0], [dnl | |
199 | racoon: reload | |
200 | setkey: | |
201 | > spddelete 0.0.0.0/0 2.3.4.5 gre -P out; | |
202 | > spddelete 2.3.4.5 0.0.0.0/0 gre -P in; | |
203 | setkey: | |
204 | > dump ; | |
205 | setkey: | |
206 | > dump ; | |
207 | ]) | |
208 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
209 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
210 | path pre_shared_key "/etc/racoon/psk.txt"; | |
211 | path certificate "/etc/racoon/certs"; | |
212 | sainfo anonymous { | |
213 | pfs_group 2; | |
214 | lifetime time 1 hour; | |
215 | encryption_algorithm aes; | |
216 | authentication_algorithm hmac_sha1, hmac_md5; | |
217 | compression_algorithm deflate; | |
218 | } | |
219 | ]) | |
220 | AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) | |
221 | ||
ad6247f5 BP |
222 | ### |
223 | ### Add an SSL certificate interface. | |
224 | ### | |
225 | cp cert.pem ssl-cert.pem | |
226 | cp key.pem ssl-key.pem | |
227 | AT_DATA([ssl-cacert.pem], [dnl | |
228 | -----BEGIN CERTIFICATE----- | |
229 | (not a real CA certificate) | |
230 | -----END CERTIFICATE----- | |
231 | ]) | |
232 | AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ | |
233 | -- add-port br0 gre2 \ | |
234 | -- set Interface gre2 type=ipsec_gre \ | |
235 | options:remote_ip=3.4.5.6 \ | |
236 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
237 | (not a real peer certificate) | |
238 | -----END CERTIFICATE----- | |
239 | "' \ | |
240 | options:use_ssl_cert='"true"']) | |
dfbf7f35 | 241 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) |
ad6247f5 BP |
242 | AT_CHECK([sed '1,29d' actions], [0], [dnl |
243 | racoon: reload | |
244 | setkey: | |
245 | > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; | |
246 | > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
247 | ]) | |
248 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
249 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
250 | path pre_shared_key "/etc/racoon/psk.txt"; | |
251 | path certificate "/etc/racoon/certs"; | |
252 | remote 3.4.5.6 { | |
253 | exchange_mode main; | |
254 | nat_traversal on; | |
255 | ike_frag on; | |
256 | certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; | |
257 | my_identifier asn1dn; | |
258 | peers_identifier asn1dn; | |
259 | peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; | |
260 | verify_identifier on; | |
261 | proposal { | |
262 | encryption_algorithm aes; | |
263 | hash_algorithm sha1; | |
264 | authentication_method rsasig; | |
265 | dh_group 2; | |
266 | } | |
267 | } | |
268 | sainfo anonymous { | |
269 | pfs_group 2; | |
270 | lifetime time 1 hour; | |
271 | encryption_algorithm aes; | |
272 | authentication_algorithm hmac_sha1, hmac_md5; | |
273 | compression_algorithm deflate; | |
274 | } | |
275 | ]) | |
276 | AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl | |
277 | -----BEGIN CERTIFICATE----- | |
278 | (not a real peer certificate) | |
279 | -----END CERTIFICATE----- | |
280 | ]) | |
281 | ||
282 | ### | |
283 | ### Delete the SSL certificate interface. | |
284 | ### | |
285 | AT_CHECK([ovs_vsctl del-port gre2]) | |
dfbf7f35 | 286 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) |
ad6247f5 BP |
287 | AT_CHECK([sed '1,33d' actions], [0], [dnl |
288 | racoon: reload | |
289 | setkey: | |
290 | > spddelete 0.0.0.0/0 3.4.5.6 gre -P out; | |
291 | > spddelete 3.4.5.6 0.0.0.0/0 gre -P in; | |
292 | setkey: | |
293 | > dump ; | |
294 | setkey: | |
295 | > dump ; | |
296 | ]) | |
297 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
298 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
299 | path pre_shared_key "/etc/racoon/psk.txt"; | |
300 | path certificate "/etc/racoon/certs"; | |
301 | sainfo anonymous { | |
302 | pfs_group 2; | |
303 | lifetime time 1 hour; | |
304 | encryption_algorithm aes; | |
305 | authentication_algorithm hmac_sha1, hmac_md5; | |
306 | compression_algorithm deflate; | |
307 | } | |
308 | ]) | |
309 | AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) | |
310 | ||
94c33672 BP |
311 | OVSDB_SERVER_SHUTDOWN |
312 | ||
b54bdbe9 | 313 | AT_CLEANUP |