]> git.proxmox.com Git - ovs.git/blob - tests/ovs-monitor-ipsec.at
projects / ovs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
compat: Fix IPv6 frag expiry crash.
[ovs.git] / tests / ovs-monitor-ipsec.at
1 AT_BANNER([ovs-monitor-ipsec])
2
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5 AT_SKIP_IF([$non_ascii_cwd])
6
7 trim () { # Removes blank lines and lines starting with # from input.
8 sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
9 }
10
11 OVS_VSWITCHD_START([])
12 OVS_MONITOR_IPSEC_START
13
14 ###
15 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
16 ###
17 AT_CHECK([ovs-vsctl \
18 -- add-port br0 gre0 \
19 -- set interface gre0 type=ipsec_gre \
20 options:remote_ip=1.2.3.4 \
21 options:psk=swordfish])
22 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
23 AT_CHECK([cat actions], [0], [dnl
24 setkey:
25 > flush;
26 setkey:
27 > spdflush;
28 racoon: reload
29 racoon: reload
30 setkey:
31 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
32 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
33 ])
34 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
35 ])
36 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
37 path pre_shared_key "/etc/racoon/psk.txt";
38 path certificate "/etc/racoon/certs";
39 remote 1.2.3.4 {
40 exchange_mode main;
41 nat_traversal on;
42 proposal {
43 encryption_algorithm aes;
44 hash_algorithm sha1;
45 authentication_method pre_shared_key;
46 dh_group 2;
47 }
48 }
49 sainfo anonymous {
50 pfs_group 2;
51 lifetime time 1 hour;
52 encryption_algorithm aes;
53 authentication_algorithm hmac_sha1, hmac_md5;
54 compression_algorithm deflate;
55 }
56 ])
57
58 ###
59 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
60 ###
61 AT_CHECK([ovs-vsctl del-port gre0])
62 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
63 AT_CHECK([sed '1,9d' actions], [0], [dnl
64 racoon: reload
65 setkey:
66 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
67 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
68 setkey:
69 > dump ;
70 setkey:
71 > dump ;
72 ])
73 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
74 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
75 path pre_shared_key "/etc/racoon/psk.txt";
76 path certificate "/etc/racoon/certs";
77 sainfo anonymous {
78 pfs_group 2;
79 lifetime time 1 hour;
80 encryption_algorithm aes;
81 authentication_algorithm hmac_sha1, hmac_md5;
82 compression_algorithm deflate;
83 }
84 ])
85
86 ###
87 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
88 ###
89 AT_DATA([cert.pem], [dnl
90 -----BEGIN CERTIFICATE-----
91 (not a real certificate)
92 -----END CERTIFICATE-----
93 ])
94 AT_DATA([key.pem], [dnl
95 -----BEGIN RSA PRIVATE KEY-----
96 (not a real private key)
97 -----END RSA PRIVATE KEY-----
98 ])
99 AT_CHECK([ovs-vsctl \
100 -- add-port br0 gre1 \
101 -- set Interface gre1 type=ipsec_gre \
102 options:remote_ip=2.3.4.5 \
103 options:peer_cert='"-----BEGIN CERTIFICATE-----
104 (not a real peer certificate)
105 -----END CERTIFICATE-----
106 "' \
107 options:certificate='"/cert.pem"' \
108 options:private_key='"/key.pem"'])
109 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
110 AT_CHECK([sed '1,17d' actions], [0], [dnl
111 racoon: reload
112 setkey:
113 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
114 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
115 ])
116 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118 path pre_shared_key "/etc/racoon/psk.txt";
119 path certificate "/etc/racoon/certs";
120 remote 2.3.4.5 {
121 exchange_mode main;
122 nat_traversal on;
123 ike_frag on;
124 certificate_type x509 "/cert.pem" "/key.pem";
125 my_identifier asn1dn;
126 peers_identifier asn1dn;
127 peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
128 verify_identifier on;
129 proposal {
130 encryption_algorithm aes;
131 hash_algorithm sha1;
132 authentication_method rsasig;
133 dh_group 2;
134 }
135 }
136 sainfo anonymous {
137 pfs_group 2;
138 lifetime time 1 hour;
139 encryption_algorithm aes;
140 authentication_algorithm hmac_sha1, hmac_md5;
141 compression_algorithm deflate;
142 }
143 ])
144 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
145 -----BEGIN CERTIFICATE-----
146 (not a real peer certificate)
147 -----END CERTIFICATE-----
148 ])
149
150 ###
151 ### Delete the ipsec_gre certificate interface.
152 ###
153 AT_CHECK([ovs-vsctl del-port gre1])
154 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
155 AT_CHECK([sed '1,21d' actions], [0], [dnl
156 racoon: reload
157 setkey:
158 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
159 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
160 setkey:
161 > dump ;
162 setkey:
163 > dump ;
164 ])
165 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
166 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
167 path pre_shared_key "/etc/racoon/psk.txt";
168 path certificate "/etc/racoon/certs";
169 sainfo anonymous {
170 pfs_group 2;
171 lifetime time 1 hour;
172 encryption_algorithm aes;
173 authentication_algorithm hmac_sha1, hmac_md5;
174 compression_algorithm deflate;
175 }
176 ])
177 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
178
179 ###
180 ### Add an SSL certificate interface.
181 ###
182 cp cert.pem ssl-cert.pem
183 cp key.pem ssl-key.pem
184 AT_DATA([ssl-cacert.pem], [dnl
185 -----BEGIN CERTIFICATE-----
186 (not a real CA certificate)
187 -----END CERTIFICATE-----
188 ])
189 AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
190 -- add-port br0 gre2 \
191 -- set Interface gre2 type=ipsec_gre \
192 options:remote_ip=3.4.5.6 \
193 options:peer_cert='"-----BEGIN CERTIFICATE-----
194 (not a real peer certificate)
195 -----END CERTIFICATE-----
196 "' \
197 options:use_ssl_cert='"true"'])
198 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
199 AT_CHECK([sed '1,29d' actions], [0], [dnl
200 racoon: reload
201 setkey:
202 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
203 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
204 ])
205 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
206 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
207 path pre_shared_key "/etc/racoon/psk.txt";
208 path certificate "/etc/racoon/certs";
209 remote 3.4.5.6 {
210 exchange_mode main;
211 nat_traversal on;
212 ike_frag on;
213 certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
214 my_identifier asn1dn;
215 peers_identifier asn1dn;
216 peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
217 verify_identifier on;
218 proposal {
219 encryption_algorithm aes;
220 hash_algorithm sha1;
221 authentication_method rsasig;
222 dh_group 2;
223 }
224 }
225 sainfo anonymous {
226 pfs_group 2;
227 lifetime time 1 hour;
228 encryption_algorithm aes;
229 authentication_algorithm hmac_sha1, hmac_md5;
230 compression_algorithm deflate;
231 }
232 ])
233 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
234 -----BEGIN CERTIFICATE-----
235 (not a real peer certificate)
236 -----END CERTIFICATE-----
237 ])
238
239 ###
240 ### Delete the SSL certificate interface.
241 ###
242 AT_CHECK([ovs-vsctl del-port gre2])
243 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
244 AT_CHECK([sed '1,33d' actions], [0], [dnl
245 racoon: reload
246 setkey:
247 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
248 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
249 setkey:
250 > dump ;
251 setkey:
252 > dump ;
253 ])
254 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
255 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
256 path pre_shared_key "/etc/racoon/psk.txt";
257 path certificate "/etc/racoon/certs";
258 sainfo anonymous {
259 pfs_group 2;
260 lifetime time 1 hour;
261 encryption_algorithm aes;
262 authentication_algorithm hmac_sha1, hmac_md5;
263 compression_algorithm deflate;
264 }
265 ])
266 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
267
268 dnl Skip SSL errors reported by Open vSwitch
269 OVS_VSWITCHD_STOP(["/stream_ssl/d"])
270 AT_CLEANUP
openvswitch packages for PVE