diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-13 17:54:28 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-13 17:54:28 +0000 |
| commit | 4dcb3b253674f504b999d6058f724e6bd3cac583 (patch) | |
| tree | 15f9d863e3d7fa615f9350166d96c0ab9883eaf4 /regress/sys/netinet | |
| parent | 903bc48310bb49b34c64a26e2d4ac3f43fe5df99 (diff) | |
Test IPsec with AH the same way it is already done for ESP.
Diffstat (limited to 'regress/sys/netinet')
| -rw-r--r-- | regress/sys/netinet/ipsec/Makefile | 404 | ||||
| -rw-r--r-- | regress/sys/netinet/ipsec/README | 4 | ||||
| -rw-r--r-- | regress/sys/netinet/ipsec/ipsec.conf | 123 |
3 files changed, 376 insertions, 155 deletions
diff --git a/regress/sys/netinet/ipsec/Makefile b/regress/sys/netinet/ipsec/Makefile index f054455482c..00a3b08eee5 100644 --- a/regress/sys/netinet/ipsec/Makefile +++ b/regress/sys/netinet/ipsec/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.4 2017/02/08 23:09:28 bluhm Exp $ +# $OpenBSD: Makefile,v 1.5 2017/02/13 17:54:27 bluhm Exp $ # This test needs a manual setup of four machines, the make # target create-setup can be used distribute the configuration. @@ -27,6 +27,9 @@ # +---+ 458 5 +---+ cd +---+ ef +---+ # out in out in out in # +# The encapsulation is chosen by the digit before +# 0,1 ESP +# 2,3 AH PREFIX_IPV4 ?= 10.188.1 PREFIX_IPV6 ?= fdd7:e83e:66bc:1 @@ -39,21 +42,31 @@ PREFIX_IPV6 ?= fdd7:e83e:66bc:1 SRC_OUT_IPV4 ?= ${PREFIX_IPV4}00.17 SRC_OUT_IPV6 ?= ${PREFIX_IPV6}00::17 -SRC_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.17 -SRC_TRANSP_IPV6 ?= ${PREFIX_IPV6}04::17 -SRC_TUNNEL_IPV4 ?= ${PREFIX_IPV4}08.17 -SRC_TUNNEL_IPV6 ?= ${PREFIX_IPV6}08::17 +SRC_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.17 +SRC_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}04::17 +SRC_ESP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}08.17 +SRC_ESP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}08::17 +SRC_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.17 +SRC_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}24::17 +SRC_AH_TUNNEL_IPV4 ?= ${PREFIX_IPV4}28.17 +SRC_AH_TUNNEL_IPV6 ?= ${PREFIX_IPV6}28::17 IPS_IN_IPV4 ?= ${PREFIX_IPV4}00.70 IPS_IN_IPV6 ?= ${PREFIX_IPV6}00::70 IPS_OUT_IPV4 ?= ${PREFIX_IPV4}01.70 IPS_OUT_IPV6 ?= ${PREFIX_IPV6}01::70 -IPS_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.70 -IPS_TRANSP_IPV6 ?= ${PREFIX_IPV6}05::70 -IPS_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}12.70 -IPS_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0c::70 -IPS_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}13.70 -IPS_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0d::70 +IPS_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.70 +IPS_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}05::70 +IPS_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}12.70 +IPS_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0c::70 +IPS_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}13.70 +IPS_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0d::70 +IPS_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.70 +IPS_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}25::70 +IPS_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}32.70 +IPS_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2c::70 +IPS_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}33.70 +IPS_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2d::70 RT_IN_IPV4 ?= ${PREFIX_IPV4}01.71 RT_IN_IPV6 ?= ${PREFIX_IPV6}01::71 @@ -62,10 +75,14 @@ RT_OUT_IPV6 ?= ${PREFIX_IPV6}02::71 ECO_IN_IPV4 ?= ${PREFIX_IPV4}02.72 ECO_IN_IPV6 ?= ${PREFIX_IPV6}02::72 -ECO_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}14.72 -ECO_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0e::72 -ECO_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}15.72 -ECO_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0f::72 +ECO_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}14.72 +ECO_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0e::72 +ECO_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}15.72 +ECO_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0f::72 +ECO_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}34.72 +ECO_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2e::72 +ECO_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}35.72 +ECO_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2f::72 # Configure Addresses on the machines, there must be routes for the # networks. Adapt interface and addresse variables to your local @@ -114,11 +131,14 @@ addr.py: Makefile .endfor .endfor .endfor -.for host dir in SRC TRANSP SRC TUNNEL \ +.for sec in ESP AH +.for host mode in SRC TRANSP SRC TUNNEL \ IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ ECO TUNNEL4 ECO TUNNEL6 .for ipv in IPV4 IPV6 - echo '${host}_${dir}_${ipv}="${${host}_${dir}_${ipv}}"' >>$@.tmp + echo '${host}_${sec}_${mode}_${ipv}="${${host}_${sec}_${mode}_${ipv}}"'\ + >>$@.tmp +.endfor .endfor .endfor mv $@.tmp $@ @@ -139,59 +159,79 @@ stamp-ipsec: addr.py ipsec.conf # Ping all addresses. This ensures that the IP addresses are configured # and all routing table are set up to allow bidirectional packet flow. -run-regress-ping-IPS_TRANSP_IPV6: +.for host dir in SRC OUT IPS IN IPS OUT RT IN RT OUT ECO IN +.for ping ipv in ping IPV4 ping6 IPV6 +TARGETS += ping-${host}_${dir}_${ipv} +run-regress-ping-${host}_${dir}_${ipv}: + @echo '\n======== $@ ========' + ${ping} -n -c 1 -w 2 ${${host}_${dir}_${ipv}} +.endfor +.endfor + +.for sec in ESP AH + +run-regress-ping-IPS_${sec}_TRANSP_IPV6: @echo '\n======== $@ ========' @echo 'IPv6 IPsec input does not filter enc0 interface with pf. Echo' @echo 'request does not create state and echo reply does not pass pf.' @echo DISABLED -run-regress-tcp-IPS_TRANSP_IPV6: +run-regress-tcp-IPS_${sec}_TRANSP_IPV6: @echo '\n======== $@ ========' @echo 'IPv6 IPsec input does not filter enc0 interface with pf. TCP' @echo 'SYN does not create state and SYN+ACK does not pass pf.' @echo DISABLED -.for host dir in SRC OUT SRC TRANSP SRC TUNNEL \ - IPS IN IPS OUT IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ - RT IN RT OUT \ - ECO IN ECO TUNNEL4 ECO TUNNEL6 +.for host mode in SRC TRANSP SRC TUNNEL \ + IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ + ECO TUNNEL4 ECO TUNNEL6 .for ping ipv in ping IPV4 ping6 IPV6 -TARGETS += ping-${host}_${dir}_${ipv} -run-regress-ping-${host}_${dir}_${ipv}: +TARGETS += ping-${host}_${sec}_${mode}_${ipv} +run-regress-ping-${host}_${sec}_${mode}_${ipv}: @echo '\n======== $@ ========' - netstat -s -p esp | awk '/input ESP /{print $$1}' >esp.in - netstat -s -p esp | awk '/output ESP /{print $$1}' >esp.out - ${ping} -n -c 1 -w 2 ${${host}_${dir}_${ipv}} -.if "${host}" != SRC && "${dir}" != IN && "${dir}" != OUT - netstat -s -p esp | awk '/input ESP /{print $$1-1}' | diff esp.in - - netstat -s -p esp | awk '/output ESP /{print $$1-1}' | diff esp.out - + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out + ${ping} -n -c 1 -w 2 ${${host}_${sec}_${mode}_${ipv}} +.if "${host}" != SRC + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-1}' |\ + diff pkt.in - + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-1}' |\ + diff pkt.out - .endif .endfor .endfor -.for host dir in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ +.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ ECO TUNNEL4 ECO TUNNEL6 .for ipv in IPV4 IPV6 -TARGETS += udp-${host}_${dir}_${ipv} -run-regress-udp-${host}_${dir}_${ipv}: +TARGETS += udp-${host}_${sec}_${mode}_${ipv} +run-regress-udp-${host}_${sec}_${mode}_${ipv}: @echo '\n======== $@ ========' - netstat -s -p esp | awk '/input ESP /{print $$1}' >esp.in - netstat -s -p esp | awk '/output ESP /{print $$1}' >esp.out - echo $$$$ | nc -n -u -w 1 ${${host}_${dir}_${ipv}} 7 | fgrep $$$$ - netstat -s -p esp | awk '/input ESP /{print $$1-1}' | diff esp.in - - netstat -s -p esp | awk '/output ESP /{print $$1-1}' | diff esp.out - - -TARGETS += tcp-${host}_${dir}_${ipv} -run-regress-tcp-${host}_${dir}_${ipv}: + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out + echo $$$$ | nc -n -u -w 1 ${${host}_${sec}_${mode}_${ipv}} 7 |\ + fgrep $$$$ + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-1}' |\ + diff pkt.in - + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-1}' |\ + diff pkt.out - + +TARGETS += tcp-${host}_${sec}_${mode}_${ipv} +run-regress-tcp-${host}_${sec}_${mode}_${ipv}: @echo '\n======== $@ ========' - netstat -s -p esp | awk '/input ESP /{print $$1}' >esp.in - netstat -s -p esp | awk '/output ESP /{print $$1}' >esp.out - echo $$$$ | nc -n -N -w 3 ${${host}_${dir}_${ipv}} 7 | fgrep $$$$ - netstat -s -p esp | awk '/input ESP /{print $$1-4}' | diff esp.in - - netstat -s -p esp | awk '/output ESP /{print $$1-6}' | diff esp.out - + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out + echo $$$$ | nc -n -N -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\ + fgrep $$$$ + netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-4}' |\ + diff pkt.in - + netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-6}' |\ + diff pkt.out - .endfor .endfor +.endfor + REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} ${REGRESS_TARGETS}: stamp-ipsec @@ -207,32 +247,41 @@ etc/hostname.${SRC_OUT_IF}: Makefile mkdir -p ${@:H} rm -f $@ $@.tmp echo '### regress ipsec $@' >$@.tmp -.for dir in OUT TRANSP TUNNEL - echo '# SRC_${dir}' >>$@.tmp + echo '# SRC_OUT' >>$@.tmp +.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 + echo '${inet} alias ${SRC_OUT_${ipv}} ${masklen}' >>$@.tmp +.endfor +.for sec in ESP AH + echo '## SRC_${sec}' >>$@.tmp +.for mode in TRANSP TUNNEL + echo '# SRC_${sec}_${mode}' >>$@.tmp .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 - echo '${inet} alias ${SRC_${dir}_${ipv}} ${masklen}' >>$@.tmp + echo '${inet} alias ${SRC_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp .endfor .endfor - echo '# IPS_TRANSP_IPV6/64 IPS_IN_IPV6' >>$@.tmp - echo '!route -q delete -inet6 ${IPS_TRANSP_IPV6}/64' >>$@.tmp - echo '!route add -inet6 ${IPS_TRANSP_IPV6}/64 ${IPS_IN_IPV6}' >>$@.tmp + echo '# IPS_${sec}_TRANSP_IPV6/64 IPS_IN_IPV6' >>$@.tmp + echo '!route -q delete -inet6 ${IPS_${sec}_TRANSP_IPV6}/64' >>$@.tmp + echo '!route add -inet6 ${IPS_${sec}_TRANSP_IPV6}/64 ${IPS_IN_IPV6}'\ + >>$@.tmp .for host dir in RT IN ECO IN echo '# ${host}_${dir}/pfxlen IPS_IN' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 echo '!route -q delete -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ >>$@.tmp - echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ - ${IPS_IN_${ipv}} >>$@.tmp + echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}\ + ${IPS_IN_${ipv}}' >>$@.tmp .endfor .endfor .for host in IPS ECO -.for dir in TUNNEL4 TUNNEL6 - echo '# ${host}_${dir}/pfxlen reject ${SRC_TUNNEL_${ipv}}' >>$@.tmp +.for mode in TUNNEL4 TUNNEL6 + echo '# ${host}_${sec}_${mode}/pfxlen reject\ + ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ - >>$@.tmp - echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ - -reject ${SRC_TUNNEL_${ipv}} >>$@.tmp + echo '!route -q delete -${inet}\ + ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp + echo '!route add -${inet} ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}\ + -reject ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp +.endfor .endfor .endfor .endfor @@ -242,22 +291,28 @@ ${IPS_SSH}/hostname.${IPS_IN_IF}: Makefile mkdir -p ${@:H} rm -f $@ $@.tmp echo '### regress ipsec $@' >$@.tmp -.for dir in IN TRANSP - echo '# IPS_${dir}' >>$@.tmp + echo '# IPS_IN' >>$@.tmp .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 - echo '${inet} alias ${IPS_${dir}_${ipv}} ${masklen}' >>$@.tmp + echo '${inet} alias ${IPS_IN_${ipv}} ${masklen}' >>$@.tmp .endfor +.for sec in ESP AH + echo '## IPS_${sec}' >>$@.tmp + echo '# IPS_${sec}_TRANSP' >>$@.tmp +.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 + echo '${inet} alias ${IPS_${sec}_TRANSP_${ipv}} ${masklen}' >>$@.tmp .endfor - echo '# SRC_TRANSP_IPV6/64 SRC_OUT_IPV6' >>$@.tmp - echo '!route -q delete -inet6 ${SRC_TRANSP_IPV6}/64' >>$@.tmp - echo '!route add -inet6 ${SRC_TRANSP_IPV6}/64 ${SRC_OUT_IPV6}' >>$@.tmp -.for host dir in SRC TUNNEL - echo '# ${host}_${dir}/pfxlen reject ${IPS_IN_${ipv}}' >>$@.tmp -.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ + echo '# SRC_${sec}_TRANSP_IPV6/64 SRC_OUT_IPV6' >>$@.tmp + echo '!route -q delete -inet6 ${SRC_${sec}_TRANSP_IPV6}/64' >>$@.tmp + echo '!route add -inet6 ${SRC_${sec}_TRANSP_IPV6}/64 ${SRC_OUT_IPV6}'\ >>$@.tmp - echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ - -reject ${IPS_IN_${ipv}} >>$@.tmp +.for mode in TUNNEL + echo '# SRC_${sec}_${mode}/pfxlen reject ${IPS_IN_${ipv}}' >>$@.tmp +.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 + echo '!route -q delete -${inet}\ + ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp + echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ + -reject ${IPS_IN_${ipv}}' >>$@.tmp +.endfor .endfor .endfor mv $@.tmp $@ @@ -267,19 +322,33 @@ ${IPS_SSH}/hostname.${IPS_OUT_IF}: Makefile mkdir -p ${@:H} rm -f $@ $@.tmp echo '### regress ipsec $@' >$@.tmp -.for dir in OUT TUNNEL4 TUNNEL6 - echo '# IPS_${dir}' >>$@.tmp + echo '# IPS_OUT' >>$@.tmp .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 - echo '${inet} alias ${IPS_${dir}_${ipv}} ${masklen}' >>$@.tmp -.endfor + echo '${inet} alias ${IPS_OUT_${ipv}} ${masklen}' >>$@.tmp .endfor -.for dir in IN TUNNEL4 TUNNEL6 - echo '# ECO_${dir}/pfxlen RT_IN' >>$@.tmp + echo '# ECO_IN/pfxlen RT_IN' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${ECO_${dir}_${ipv}}/${pfxlen}'\ + echo '!route -q delete -${inet} ${ECO_IN_${ipv}}/${pfxlen}'\ >>$@.tmp - echo '!route add -${inet} ${ECO_${dir}_${ipv}}/${pfxlen}'\ - ${RT_IN_${ipv}} >>$@.tmp + echo '!route add -${inet} ${ECO_IN_${ipv}}/${pfxlen} ${RT_IN_${ipv}}'\ + >>$@.tmp +.endfor +.for sec in ESP AH + echo '## IPS_${sec}' >>$@.tmp +.for mode in TUNNEL4 TUNNEL6 + echo '# IPS_${sec}_${mode}' >>$@.tmp +.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 + echo '${inet} alias ${IPS_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp +.endfor +.endfor +.for mode in TUNNEL4 TUNNEL6 + echo '# ECO_${sec}_${mode}/pfxlen RT_IN' >>$@.tmp +.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 + echo '!route -q delete -${inet}\ + ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp + echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ + ${RT_IN_${ipv}}' >>$@.tmp +.endfor .endfor .endfor mv $@.tmp $@ @@ -293,14 +362,24 @@ ${RT_SSH}/hostname.${RT_IN_IF}: Makefile .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 echo '${inet} alias ${RT_IN_${ipv}} ${masklen}' >>$@.tmp .endfor -.for dir in OUT TUNNEL - echo '# SRC_${dir}/pfxlen IPS_OUT' >>$@.tmp + echo '# SRC_OUT/pfxlen IPS_OUT' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${SRC_${dir}_${ipv}}/${pfxlen}'\ + echo '!route -q delete -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ >>$@.tmp - echo '!route add -${inet} ${SRC_${dir}_${ipv}}/${pfxlen}'\ + echo '!route add -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ ${IPS_OUT_${ipv}} >>$@.tmp .endfor +.for sec in ESP AH + echo '## IPS_${sec}' >>$@.tmp +.for mode in TUNNEL + echo '# SRC_${mode}/pfxlen IPS_OUT' >>$@.tmp +.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 + echo '!route -q delete -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}'\ + >>$@.tmp + echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ + ${IPS_OUT_${ipv}}' >>$@.tmp +.endfor +.endfor .endfor mv $@.tmp $@ @@ -313,13 +392,16 @@ ${RT_SSH}/hostname.${RT_OUT_IF}: Makefile .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 echo '${inet} alias ${RT_OUT_${ipv}} ${masklen}' >>$@.tmp .endfor -.for dir in TUNNEL4 TUNNEL6 - echo '# ECO_${dir}/pfxlen ECO_IN' >>$@.tmp +.for sec in ESP AH + echo '## IPS_${sec}' >>$@.tmp +.for mode in TUNNEL4 TUNNEL6 + echo '# ECO_${sec}_${mode}/pfxlen ECO_IN' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${ECO_${dir}_${ipv}}/${pfxlen}'\ - >>$@.tmp - echo '!route add -${inet} ${ECO_${dir}_${ipv}}/${pfxlen}'\ - ${ECO_IN_${ipv}} >>$@.tmp + echo '!route -q delete -${inet}\ + ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp + echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ + ${ECO_IN_${ipv}}' >>$@.tmp +.endfor .endfor .endfor mv $@.tmp $@ @@ -329,26 +411,35 @@ ${ECO_SSH}/hostname.${ECO_IN_IF}: Makefile mkdir -p ${@:H} rm -f $@ $@.tmp echo '### regress ipsec $@' >$@.tmp -.for dir in IN TUNNEL4 TUNNEL6 - echo '# ECO_${dir}' >>$@.tmp + echo '# ECO_IN' >>$@.tmp .for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 - echo '${inet} alias ${ECO_${dir}_${ipv}} ${masklen}' >>$@.tmp + echo '${inet} alias ${ECO_IN_${ipv}} ${masklen}' >>$@.tmp .endfor -.endfor - echo '# IPS_OUT/pfxlen RT_OUT' >>$@.tmp +.for host in IPS SRC + echo '# ${host}_OUT/pfxlen RT_OUT' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${IPS_OUT_${ipv}}/${pfxlen}'\ + echo '!route -q delete -${inet} ${${host}_OUT_${ipv}}/${pfxlen}'\ >>$@.tmp - echo '!route add -${inet} ${IPS_OUT_${ipv}}/${pfxlen}'\ - ${RT_OUT_${ipv}} >>$@.tmp + echo '!route add -${inet} ${${host}_OUT_${ipv}}/${pfxlen}\ + ${RT_OUT_${ipv}}' >>$@.tmp +.endfor +.endfor +.for sec in ESP AH + echo '## IPS_${sec}' >>$@.tmp +.for mode in TUNNEL4 TUNNEL6 + echo '# ECO_${sec}_${mode}' >>$@.tmp +.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 + echo '${inet} alias ${ECO_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp .endfor -.for dir in OUT TUNNEL - echo '# SRC_${dir}/pfxlen RT_OUT' >>$@.tmp +.endfor +.for mode in TUNNEL + echo '# SRC_${sec}_${mode}/pfxlen RT_OUT' >>$@.tmp .for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 - echo '!route -q delete -${inet} ${SRC_${dir}_${ipv}}/${pfxlen}'\ - >>$@.tmp - echo '!route add -${inet} ${SRC_${dir}_${ipv}}/${pfxlen}'\ - ${RT_OUT_${ipv}} >>$@.tmp + echo '!route -q delete -${inet}\ + ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp + echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ + ${RT_OUT_${ipv}}' >>$@.tmp +.endfor .endfor .endfor mv $@.tmp $@ @@ -384,7 +475,7 @@ check-setup: check-setup-src check-setup-ips check-setup-rt check-setup-eco check-setup-src: @echo '\n======== $@ ========' .for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 -.for host dir in SRC OUT SRC TRANSP SRC TUNNEL +.for host dir in SRC OUT ${ping} -n -c 1 ${${host}_${dir}_${ipv}} # ${host}_${dir}_${ipv} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} @@ -395,21 +486,31 @@ check-setup-src: fgrep -q 'gateway: ${IPS_IN_${ipv}}' \ # ${host}_${dir}_${ipv} IPS_IN_${ipv} .endfor -.for host dir in IPS TUNNEL4 IPS TUNNEL6 ECO TUNNEL4 ECO TUNNEL6 - route -n get -${inet} ${${host}_${dir}_${ipv}} |\ - grep -q 'flags: .*REJECT' # ${host}_${dir}_${ipv} +.for sec in ESP AH +.for host mode in SRC TRANSP SRC TUNNEL + ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ + # ${host}_${sec}_${mode}_${ipv} + route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} .endfor +.for host mode in IPS TUNNEL4 IPS TUNNEL6 ECO TUNNEL4 ECO TUNNEL6 + route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + grep -q 'flags: .*REJECT' # ${host}_${sec}_${mode}_${ipv} .endfor - route -n get -inet ${IPS_TRANSP_IPV4} |\ - egrep -q 'flags: .*(CLONING|CLONED)' # IPS_TRANSP_IPV4 - route -n get -inet6 ${IPS_TRANSP_IPV6} |\ +.endfor +.endfor +.for sec in ESP AH + route -n get -inet ${IPS_${sec}_TRANSP_IPV4} |\ + egrep -q 'flags: .*(CLONING|CLONED)' # IPS_${sec}_TRANSP_IPV4 + route -n get -inet6 ${IPS_${sec}_TRANSP_IPV6} |\ fgrep -q 'gateway: ${IPS_IN_IPV6}' \ - # IPS_TRANSP_IPV6 IPS_IN_IPV6 + # IPS_${sec}_TRANSP_IPV6 IPS_IN_IPV6 +.endfor check-setup-ips: @echo '\n======== $@ ========' .for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 -.for host dir in IPS IN IPS OUT IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 +.for host dir in IPS IN IPS OUT ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ # ${host}_${dir}_${ipv} ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ @@ -417,26 +518,42 @@ check-setup-ips: .endfor ssh ${IPS_SSH} ${ping} -n -c 1 ${SRC_OUT_${ipv}} # SRC_OUT_${ipv} ssh ${IPS_SSH} ${ping} -n -c 1 ${RT_IN_${ipv}} # RT_IN_${ipv} -.for host dir in RT OUT ECO IN ECO TUNNEL4 ECO TUNNEL6 +.for host dir in RT OUT ECO IN ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ fgrep -q 'gateway: ${RT_IN_${ipv}}' \ # ${host}_${dir}_${ipv} RT_IN_${ipv} .endfor -.for host dir in SRC TUNNEL - ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ - grep -q 'flags: .*REJECT' # ${host}_${dir}_${ipv} +.for sec in ESP AH +.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 + ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ + # ${host}_${sec}_${mode}_${ipv} + ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} .endfor -.for host dir in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 +.for host mode in ECO TUNNEL4 ECO TUNNEL6 + ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + fgrep -q 'gateway: ${RT_IN_${ipv}}' \ + # ${host}_${sec}_${mode}_${ipv} RT_IN_${ipv} +.endfor +.for host mode in SRC TUNNEL + ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + grep -q 'flags: .*REJECT' # ${host}_${sec}_${mode}_${ipv} +.endfor +.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 ssh ${IPS_SSH} netstat -nav -f ${inet} -p udp |\ - fgrep ' ${${host}_${dir}_${ipv}}.7 ' # ${host}_${dir}_${ipv} + fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ + # ${host}_${sec}_${mode}_${ipv} +.endfor .endfor ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' .endfor - ssh ${IPS_SSH} route -n get -inet ${SRC_TRANSP_IPV4} |\ - egrep -q 'flags: .*(CLONING|CLONED)' # SRC_TRANSP_IPV4 - ssh ${IPS_SSH} route -n get -inet6 ${SRC_TRANSP_IPV6} |\ +.for sec in ESP AH + ssh ${IPS_SSH} route -n get -inet ${SRC_${sec}_TRANSP_IPV4} |\ + egrep -q 'flags: .*(CLONING|CLONED)' # SRC_${sec}_TRANSP_IPV4 + ssh ${IPS_SSH} route -n get -inet6 ${SRC_${sec}_TRANSP_IPV6} |\ fgrep -q 'gateway: ${SRC_OUT_IPV6}' \ - # SRC_TRANSP_IPV6 SRC_OUT_IPV6 + # SRC_${sec}_TRANSP_IPV6 SRC_OUT_IPV6 +.endfor check-setup-rt: @echo '\n======== $@ ========' @@ -448,37 +565,58 @@ check-setup-rt: grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} .endfor ssh ${RT_SSH} ${ping} -n -c 1 ${IPS_OUT_${ipv}} # IPS_OUT_${ipv} -.for host dir in IPS IN SRC OUT SRC TUNNEL +.for host dir in IPS IN SRC OUT ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ # ${host}_${dir}_${ipv} IPS_OUT_${ipv} .endfor ssh ${RT_SSH} ${ping} -n -c 1 ${ECO_IN_${ipv}} # ECO_IN_${ipv} -.for host dir in ECO TUNNEL4 ECO TUNNEL6 - ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ +.for sec in ESP AH +.for host mode in SRC TUNNEL + ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ + # ${host}_${sec}_${mode}_${ipv} IPS_OUT_${ipv} +.endfor +.for host mode in ECO TUNNEL4 ECO TUNNEL6 + ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ fgrep -q 'gateway: ${ECO_IN_${ipv}}' \ - # ${host}_${dir}_${ipv} ECO_IN_${ipv} + # ${host}_${sec}_${mode}_${ipv} ECO_IN_${ipv} +.endfor .endfor .endfor check-setup-eco: @echo '\n======== $@ ========' .for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 -.for host dir in ECO IN ECO TUNNEL4 ECO TUNNEL6 +.for host dir in ECO IN ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ # ${host}_${dir}_${ipv} ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} .endfor ssh ${ECO_SSH} ${ping} -n -c 1 ${RT_OUT_${ipv}} # RT_OUT_${ipv} -.for host dir in RT IN IPS OUT IPS IN SRC OUT SRC TUNNEL +.for host dir in RT IN IPS OUT IPS IN SRC OUT ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ # ${host}_${dir}_${ipv} RT_OUT_${ipv} .endfor -.for host dir in ECO TUNNEL4 ECO TUNNEL6 +.for sec in ESP AH +.for host mode in ECO TUNNEL4 ECO TUNNEL6 + ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ + # ${host}_${sec}_${mode}_${ipv} + ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} +.endfor +.for host mode in SRC TUNNEL + ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ + fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ + # ${host}_${sec}_${mode}_${ipv} RT_OUT_${ipv} +.endfor +.for host mode in ECO TUNNEL4 ECO TUNNEL6 ssh ${ECO_SSH} netstat -nav -f ${inet} -p udp |\ - fgrep ' ${${host}_${dir}_${ipv}}.7 ' # ${host}_${dir}_${ipv} + fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ + # ${host}_${sec}_${mode}_${ipv} +.endfor .endfor ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' .endfor diff --git a/regress/sys/netinet/ipsec/README b/regress/sys/netinet/ipsec/README index 55bed875dea..fc26fbbd9fc 100644 --- a/regress/sys/netinet/ipsec/README +++ b/regress/sys/netinet/ipsec/README @@ -4,10 +4,10 @@ or forward it after decryption. By reflecting the packets, the way back is also tested. When the response is received at the generating machine, the test is considered successful. -Currently ICMP ping, UDP and TCP packets are encrypted with ESP. +Currently ICMP ping, UDP and TCP packets are protected with ESP and AH. Transport and tunnel mode are tested with all combinations of IPv4 and IPv6. TODO: -Tests for AH/IPCOMP/IPIP and path MTU discovery are planned. +Tests for IPCOMP/IPIP and path MTU discovery are planned. BPF output of enc0 and pflog0 should be checked. diff --git a/regress/sys/netinet/ipsec/ipsec.conf b/regress/sys/netinet/ipsec/ipsec.conf index 1c0eaf082a8..23d10368022 100644 --- a/regress/sys/netinet/ipsec/ipsec.conf +++ b/regress/sys/netinet/ipsec/ipsec.conf @@ -1,4 +1,4 @@ -# $OpenBSD: ipsec.conf,v 1.2 2017/02/08 17:58:59 bluhm Exp $ +# $OpenBSD: ipsec.conf,v 1.3 2017/02/13 17:54:27 bluhm Exp $ ### regress ipsec ipsec.conf # Install symmetric config by exchanging local and peer keywords. @@ -7,72 +7,74 @@ TO="to" LOCAL="local" PEER="peer" -# TRANSP +## ESP + +# ESP TRANSP flow esp \ - $FROM $SRC_TRANSP_IPV4 $TO $IPS_TRANSP_IPV4 \ - $LOCAL $SRC_TRANSP_IPV4 $PEER $IPS_TRANSP_IPV4 \ + $FROM $SRC_ESP_TRANSP_IPV4 $TO $IPS_ESP_TRANSP_IPV4 \ + $LOCAL $SRC_ESP_TRANSP_IPV4 $PEER $IPS_ESP_TRANSP_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TRANSP_IPV6 $TO $IPS_TRANSP_IPV6 \ - $LOCAL $SRC_TRANSP_IPV6 $PEER $IPS_TRANSP_IPV6 \ + $FROM $SRC_ESP_TRANSP_IPV6 $TO $IPS_ESP_TRANSP_IPV6 \ + $LOCAL $SRC_ESP_TRANSP_IPV6 $PEER $IPS_ESP_TRANSP_IPV6 \ type dontacq -# TRANSP SA +# ESP TRANSP SA esp transport \ - from $SRC_TRANSP_IPV4 to $IPS_TRANSP_IPV4 \ + from $SRC_ESP_TRANSP_IPV4 to $IPS_ESP_TRANSP_IPV4 \ spi 0x10000441:0x10000442 \ authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef esp transport \ - from $SRC_TRANSP_IPV6 to $IPS_TRANSP_IPV6 \ + from $SRC_ESP_TRANSP_IPV6 to $IPS_ESP_TRANSP_IPV6 \ spi 0x10000461:0x10000462 \ authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -# TUNNEL IPS +# ESP TUNNEL IPS flow esp \ - $FROM $SRC_TUNNEL_IPV4/24 $TO $IPS_TUNNEL4_IPV4/24 \ + $FROM $SRC_ESP_TUNNEL_IPV4/24 $TO $IPS_ESP_TUNNEL4_IPV4/24 \ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV6/64 $TO $IPS_TUNNEL4_IPV6/64 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $IPS_ESP_TUNNEL4_IPV6/64 \ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV4/24 $TO $IPS_TUNNEL6_IPV4/24 \ + $FROM $SRC_ESP_TUNNEL_IPV4/24 $TO $IPS_ESP_TUNNEL6_IPV4/24 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV6/64 $TO $IPS_TUNNEL6_IPV6/64 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $IPS_ESP_TUNNEL6_IPV6/64 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq -# TUNNEL ECO +# ESP TUNNEL ECO flow esp \ - $FROM $SRC_TUNNEL_IPV4/24 $TO $ECO_TUNNEL4_IPV4/24 \ + $FROM $SRC_ESP_TUNNEL_IPV4/24 $TO $ECO_ESP_TUNNEL4_IPV4/24 \ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV6/64 $TO $ECO_TUNNEL4_IPV6/64 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $ECO_ESP_TUNNEL4_IPV6/64 \ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV4/24 $TO $ECO_TUNNEL6_IPV4/24 \ + $FROM $SRC_ESP_TUNNEL_IPV4/24 $TO $ECO_ESP_TUNNEL6_IPV4/24 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq flow esp \ - $FROM $SRC_TUNNEL_IPV6/64 $TO $ECO_TUNNEL6_IPV6/64 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $ECO_ESP_TUNNEL6_IPV6/64 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq -# TUNNEL SA +# ESP TUNNEL SA esp tunnel \ from $SRC_OUT_IPV4 to $IPS_IN_IPV4 \ @@ -85,3 +87,84 @@ esp tunnel \ spi 0x10000861:0x10000862 \ authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + +## AH + +# AH TRANSP + +flow ah \ + $FROM $SRC_AH_TRANSP_IPV4 $TO $IPS_AH_TRANSP_IPV4 \ + $LOCAL $SRC_AH_TRANSP_IPV4 $PEER $IPS_AH_TRANSP_IPV4 \ + type dontacq +flow ah \ + $FROM $SRC_AH_TRANSP_IPV6 $TO $IPS_AH_TRANSP_IPV6 \ + $LOCAL $SRC_AH_TRANSP_IPV6 $PEER $IPS_AH_TRANSP_IPV6 \ + type dontacq + +# AH TRANSP SA + +ah transport \ + from $SRC_AH_TRANSP_IPV4 to $IPS_AH_TRANSP_IPV4 \ + spi 0x10002441:0x10002442 \ + authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ + enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + +ah transport \ + from $SRC_AH_TRANSP_IPV6 to $IPS_AH_TRANSP_IPV6 \ + spi 0x10002461:0x10002462 \ + authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ + enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + +# AH TUNNEL IPS + +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV4/24 $TO $IPS_AH_TUNNEL4_IPV4/24 \ + $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ + type dontacq +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV6/64 $TO $IPS_AH_TUNNEL4_IPV6/64 \ + $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ + type dontacq + +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV4/24 $TO $IPS_AH_TUNNEL6_IPV4/24 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV6/64 $TO $IPS_AH_TUNNEL6_IPV6/64 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq + +# AH TUNNEL ECO + +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV4/24 $TO $ECO_AH_TUNNEL4_IPV4/24 \ + $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ + type dontacq +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV6/64 $TO $ECO_AH_TUNNEL4_IPV6/64 \ + $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \ + type dontacq + +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV4/24 $TO $ECO_AH_TUNNEL6_IPV4/24 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq +flow ah \ + $FROM $SRC_AH_TUNNEL_IPV6/64 $TO $ECO_AH_TUNNEL6_IPV6/64 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq + +# AH TUNNEL SA + +ah tunnel \ + from $SRC_OUT_IPV4 to $IPS_IN_IPV4 \ + spi 0x10002841:0x10002842 \ + authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ + enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + +ah tunnel \ + from $SRC_OUT_IPV6 to $IPS_IN_IPV6 \ + spi 0x10002861:0x10002862 \ + authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \ + enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef |