]>
Commit | Line | Data |
---|---|---|
b54bdbe9 BP |
1 | AT_BANNER([ovs-monitor-ipsec]) |
2 | ||
3 | AT_SETUP([ovs-monitor-ipsec]) | |
4 | AT_SKIP_IF([test $HAVE_PYTHON = no]) | |
5 | ||
bb474bb3 | 6 | OVS_RUNDIR=`pwd`; export OVS_RUNDIR |
f973f2af | 7 | OVS_DBDIR=`pwd`; export OVS_DBDIR |
b54bdbe9 BP |
8 | OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR |
9 | cp "$top_srcdir/vswitchd/vswitch.ovsschema" . | |
10 | ||
0b7140bb | 11 | ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`]) |
b54bdbe9 BP |
12 | |
13 | mkdir etc etc/init.d etc/racoon etc/racoon/certs | |
14 | mkdir usr usr/sbin | |
15 | ||
16 | AT_DATA([etc/init.d/racoon], [dnl | |
17 | #! /bin/sh | |
18 | echo "racoon: $@" >&3 | |
19 | exit 0 | |
20 | ]) | |
21 | chmod +x etc/init.d/racoon | |
22 | ||
23 | AT_DATA([usr/sbin/setkey], [dnl | |
24 | #! /bin/sh | |
25 | exec >&3 | |
26 | echo "setkey:" | |
27 | while read line; do | |
28 | echo "> $line" | |
29 | done | |
30 | ]) | |
31 | chmod +x usr/sbin/setkey | |
32 | ||
33 | touch etc/racoon/certs/ovs-stale.pem | |
34 | ||
35 | ovs_vsctl () { | |
fba6bd1d | 36 | ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@" |
b54bdbe9 BP |
37 | } |
38 | trim () { # Removes blank lines and lines starting with # from input. | |
39 | sed -e '/^#/d' -e '/^[ ]*$/d' "$@" | |
40 | } | |
41 | ||
42 | ### | |
43 | ### Start ovsdb-server. | |
44 | ### | |
45 | OVS_VSCTL_SETUP | |
46 | ||
47 | ### | |
48 | ### Start ovs-monitor-ipsec and wait for it to delete the stale cert. | |
49 | ### | |
50 | AT_CHECK( | |
51 | [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ | |
b153e667 | 52 | "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ |
b54bdbe9 BP |
53 | unix:socket 2>log 3>actions &]) |
54 | AT_CAPTURE_FILE([log]) | |
55 | AT_CAPTURE_FILE([actions]) | |
56 | OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) | |
57 | ||
58 | ### | |
59 | ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does | |
60 | ### | |
61 | AT_CHECK([ovs_vsctl \ | |
62 | -- add-br br0 \ | |
63 | -- add-port br0 gre0 \ | |
64 | -- set interface gre0 type=ipsec_gre \ | |
65 | options:remote_ip=1.2.3.4 \ | |
66 | options:psk=swordfish]) | |
67 | OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null]) | |
68 | AT_CHECK([cat actions], [0], [dnl | |
69 | setkey: | |
70 | > flush; | |
71 | setkey: | |
72 | > spdflush; | |
73 | racoon: reload | |
74 | racoon: reload | |
75 | setkey: | |
76 | > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; | |
77 | > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
78 | ]) | |
79 | AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish | |
80 | ]) | |
81 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
82 | path pre_shared_key "/etc/racoon/psk.txt"; | |
83 | path certificate "/etc/racoon/certs"; | |
84 | remote 1.2.3.4 { | |
85 | exchange_mode main; | |
86 | nat_traversal on; | |
87 | proposal { | |
88 | encryption_algorithm aes; | |
89 | hash_algorithm sha1; | |
90 | authentication_method pre_shared_key; | |
91 | dh_group 2; | |
92 | } | |
93 | } | |
94 | sainfo anonymous { | |
95 | pfs_group 2; | |
96 | lifetime time 1 hour; | |
97 | encryption_algorithm aes; | |
98 | authentication_algorithm hmac_sha1, hmac_md5; | |
99 | compression_algorithm deflate; | |
100 | } | |
101 | ]) | |
102 | ||
103 | ### | |
104 | ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does | |
105 | ### | |
106 | AT_CHECK([ovs_vsctl del-port gre0]) | |
107 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) | |
108 | AT_CHECK([sed '1,9d' actions], [0], [dnl | |
109 | racoon: reload | |
110 | setkey: | |
111 | > spddelete 0.0.0.0/0 1.2.3.4 gre -P out; | |
112 | > spddelete 1.2.3.4 0.0.0.0/0 gre -P in; | |
113 | setkey: | |
114 | > dump ; | |
115 | setkey: | |
116 | > dump ; | |
117 | ]) | |
118 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
119 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
120 | path pre_shared_key "/etc/racoon/psk.txt"; | |
121 | path certificate "/etc/racoon/certs"; | |
122 | sainfo anonymous { | |
123 | pfs_group 2; | |
124 | lifetime time 1 hour; | |
125 | encryption_algorithm aes; | |
126 | authentication_algorithm hmac_sha1, hmac_md5; | |
127 | compression_algorithm deflate; | |
128 | } | |
129 | ]) | |
130 | ||
131 | ### | |
132 | ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does | |
133 | ### | |
134 | AT_DATA([cert.pem], [dnl | |
135 | -----BEGIN CERTIFICATE----- | |
136 | (not a real certificate) | |
137 | -----END CERTIFICATE----- | |
138 | ]) | |
139 | AT_DATA([key.pem], [dnl | |
140 | -----BEGIN RSA PRIVATE KEY----- | |
141 | (not a real private key) | |
142 | -----END RSA PRIVATE KEY----- | |
143 | ]) | |
144 | AT_CHECK([ovs_vsctl \ | |
145 | -- add-port br0 gre1 \ | |
146 | -- set Interface gre1 type=ipsec_gre \ | |
147 | options:remote_ip=2.3.4.5 \ | |
148 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
149 | (not a real peer certificate) | |
150 | -----END CERTIFICATE----- | |
151 | "' \ | |
152 | options:certificate='"/cert.pem"' \ | |
153 | options:private_key='"/key.pem"']) | |
154 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) | |
155 | AT_CHECK([sed '1,17d' actions], [0], [dnl | |
156 | racoon: reload | |
157 | setkey: | |
158 | > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; | |
159 | > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
160 | ]) | |
161 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
162 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
163 | path pre_shared_key "/etc/racoon/psk.txt"; | |
164 | path certificate "/etc/racoon/certs"; | |
165 | remote 2.3.4.5 { | |
166 | exchange_mode main; | |
167 | nat_traversal on; | |
168 | ike_frag on; | |
169 | certificate_type x509 "/cert.pem" "/key.pem"; | |
170 | my_identifier asn1dn; | |
171 | peers_identifier asn1dn; | |
172 | peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; | |
173 | verify_identifier on; | |
174 | proposal { | |
175 | encryption_algorithm aes; | |
176 | hash_algorithm sha1; | |
177 | authentication_method rsasig; | |
178 | dh_group 2; | |
179 | } | |
180 | } | |
181 | sainfo anonymous { | |
182 | pfs_group 2; | |
183 | lifetime time 1 hour; | |
184 | encryption_algorithm aes; | |
185 | authentication_algorithm hmac_sha1, hmac_md5; | |
186 | compression_algorithm deflate; | |
187 | } | |
188 | ]) | |
189 | AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl | |
190 | -----BEGIN CERTIFICATE----- | |
191 | (not a real peer certificate) | |
192 | -----END CERTIFICATE----- | |
193 | ]) | |
194 | ||
195 | ### | |
196 | ### Delete the ipsec_gre certificate interface. | |
197 | ### | |
198 | AT_CHECK([ovs_vsctl del-port gre1]) | |
199 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) | |
200 | AT_CHECK([sed '1,21d' actions], [0], [dnl | |
201 | racoon: reload | |
202 | setkey: | |
203 | > spddelete 0.0.0.0/0 2.3.4.5 gre -P out; | |
204 | > spddelete 2.3.4.5 0.0.0.0/0 gre -P in; | |
205 | setkey: | |
206 | > dump ; | |
207 | setkey: | |
208 | > dump ; | |
209 | ]) | |
210 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
211 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
212 | path pre_shared_key "/etc/racoon/psk.txt"; | |
213 | path certificate "/etc/racoon/certs"; | |
214 | sainfo anonymous { | |
215 | pfs_group 2; | |
216 | lifetime time 1 hour; | |
217 | encryption_algorithm aes; | |
218 | authentication_algorithm hmac_sha1, hmac_md5; | |
219 | compression_algorithm deflate; | |
220 | } | |
221 | ]) | |
222 | AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) | |
223 | ||
ad6247f5 BP |
224 | ### |
225 | ### Add an SSL certificate interface. | |
226 | ### | |
227 | cp cert.pem ssl-cert.pem | |
228 | cp key.pem ssl-key.pem | |
229 | AT_DATA([ssl-cacert.pem], [dnl | |
230 | -----BEGIN CERTIFICATE----- | |
231 | (not a real CA certificate) | |
232 | -----END CERTIFICATE----- | |
233 | ]) | |
234 | AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ | |
235 | -- add-port br0 gre2 \ | |
236 | -- set Interface gre2 type=ipsec_gre \ | |
237 | options:remote_ip=3.4.5.6 \ | |
238 | options:peer_cert='"-----BEGIN CERTIFICATE----- | |
239 | (not a real peer certificate) | |
240 | -----END CERTIFICATE----- | |
241 | "' \ | |
242 | options:use_ssl_cert='"true"']) | |
dfbf7f35 | 243 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) |
ad6247f5 BP |
244 | AT_CHECK([sed '1,29d' actions], [0], [dnl |
245 | racoon: reload | |
246 | setkey: | |
247 | > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; | |
248 | > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; | |
249 | ]) | |
250 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
251 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
252 | path pre_shared_key "/etc/racoon/psk.txt"; | |
253 | path certificate "/etc/racoon/certs"; | |
254 | remote 3.4.5.6 { | |
255 | exchange_mode main; | |
256 | nat_traversal on; | |
257 | ike_frag on; | |
258 | certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; | |
259 | my_identifier asn1dn; | |
260 | peers_identifier asn1dn; | |
261 | peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; | |
262 | verify_identifier on; | |
263 | proposal { | |
264 | encryption_algorithm aes; | |
265 | hash_algorithm sha1; | |
266 | authentication_method rsasig; | |
267 | dh_group 2; | |
268 | } | |
269 | } | |
270 | sainfo anonymous { | |
271 | pfs_group 2; | |
272 | lifetime time 1 hour; | |
273 | encryption_algorithm aes; | |
274 | authentication_algorithm hmac_sha1, hmac_md5; | |
275 | compression_algorithm deflate; | |
276 | } | |
277 | ]) | |
278 | AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl | |
279 | -----BEGIN CERTIFICATE----- | |
280 | (not a real peer certificate) | |
281 | -----END CERTIFICATE----- | |
282 | ]) | |
283 | ||
284 | ### | |
285 | ### Delete the SSL certificate interface. | |
286 | ### | |
287 | AT_CHECK([ovs_vsctl del-port gre2]) | |
dfbf7f35 | 288 | OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) |
ad6247f5 BP |
289 | AT_CHECK([sed '1,33d' actions], [0], [dnl |
290 | racoon: reload | |
291 | setkey: | |
292 | > spddelete 0.0.0.0/0 3.4.5.6 gre -P out; | |
293 | > spddelete 3.4.5.6 0.0.0.0/0 gre -P in; | |
294 | setkey: | |
295 | > dump ; | |
296 | setkey: | |
297 | > dump ; | |
298 | ]) | |
299 | AT_CHECK([trim etc/racoon/psk.txt], [0], []) | |
300 | AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl | |
301 | path pre_shared_key "/etc/racoon/psk.txt"; | |
302 | path certificate "/etc/racoon/certs"; | |
303 | sainfo anonymous { | |
304 | pfs_group 2; | |
305 | lifetime time 1 hour; | |
306 | encryption_algorithm aes; | |
307 | authentication_algorithm hmac_sha1, hmac_md5; | |
308 | compression_algorithm deflate; | |
309 | } | |
310 | ]) | |
311 | AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) | |
312 | ||
94c33672 BP |
313 | OVSDB_SERVER_SHUTDOWN |
314 | ||
b54bdbe9 | 315 | AT_CLEANUP |