summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--regress/sys/netinet/ipsec/Makefile101
-rw-r--r--regress/sys/netinet/ipsec/ipsec.conf75
2 files changed, 139 insertions, 37 deletions
diff --git a/regress/sys/netinet/ipsec/Makefile b/regress/sys/netinet/ipsec/Makefile
index 00a3b08eee5..2f22552e018 100644
--- a/regress/sys/netinet/ipsec/Makefile
+++ b/regress/sys/netinet/ipsec/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.5 2017/02/13 17:54:27 bluhm Exp $
+# $OpenBSD: Makefile,v 1.6 2017/02/27 16:53:59 bluhm Exp $
# This test needs a manual setup of four machines, the make
# target create-setup can be used distribute the configuration.
@@ -30,6 +30,7 @@
# The encapsulation is chosen by the digit before
# 0,1 ESP
# 2,3 AH
+# 4,5 IPIP
PREFIX_IPV4 ?= 10.188.1
PREFIX_IPV6 ?= fdd7:e83e:66bc:1
@@ -50,6 +51,10 @@ SRC_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.17
SRC_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}24::17
SRC_AH_TUNNEL_IPV4 ?= ${PREFIX_IPV4}28.17
SRC_AH_TUNNEL_IPV6 ?= ${PREFIX_IPV6}28::17
+SRC_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.17
+SRC_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}44::17
+SRC_IPIP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}48.17
+SRC_IPIP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}48::17
IPS_IN_IPV4 ?= ${PREFIX_IPV4}00.70
IPS_IN_IPV6 ?= ${PREFIX_IPV6}00::70
@@ -67,6 +72,12 @@ IPS_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}32.70
IPS_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2c::70
IPS_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}33.70
IPS_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2d::70
+IPS_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.70
+IPS_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}45::70
+IPS_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}52.70
+IPS_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4c::70
+IPS_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}53.70
+IPS_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4d::70
RT_IN_IPV4 ?= ${PREFIX_IPV4}01.71
RT_IN_IPV6 ?= ${PREFIX_IPV6}01::71
@@ -83,6 +94,10 @@ ECO_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}34.72
ECO_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2e::72
ECO_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}35.72
ECO_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2f::72
+ECO_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}54.72
+ECO_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4e::72
+ECO_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}55.72
+ECO_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4f::72
# Configure Addresses on the machines, there must be routes for the
# networks. Adapt interface and addresse variables to your local
@@ -131,7 +146,7 @@ addr.py: Makefile
.endfor
.endfor
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
.for host mode in SRC TRANSP SRC TUNNEL \
IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \
ECO TUNNEL4 ECO TUNNEL6
@@ -146,14 +161,12 @@ addr.py: Makefile
# load the ipsec sa and flow into the kernel of the SRC and IPS machine
stamp-ipsec: addr.py ipsec.conf
@echo '\n======== $@ ========'
- ${SUDO} ipsecctl -F
cat addr.py ${.CURDIR}/ipsec.conf | ipsecctl -n -f -
- cat addr.py ${.CURDIR}/ipsec.conf | \
- ${SUDO} ipsecctl -f -
+ ${SUDO} ipsecctl -F
+ cat addr.py ${.CURDIR}/ipsec.conf | ${SUDO} ipsecctl -f -
ssh ${IPS_SSH} ${SUDO} ipsecctl -F
- cat addr.py ${.CURDIR}/ipsec.conf | \
- ssh ${IPS_SSH} ${SUDO} ipsecctl -f - \
- -D FROM=to -D TO=from -D LOCAL=peer -D PEER=local
+ cat addr.py ${.CURDIR}/ipsec.conf | ssh ${IPS_SSH} ${SUDO} ipsecctl\
+ -f - -D FROM=to -D TO=from -D LOCAL=peer -D PEER=local
@date >$@
# Ping all addresses. This ensures that the IP addresses are configured
@@ -168,34 +181,40 @@ run-regress-ping-${host}_${dir}_${ipv}:
.endfor
.endfor
-.for sec in ESP AH
-
-run-regress-ping-IPS_${sec}_TRANSP_IPV6:
+run-regress-ping-IPS_ESP_TRANSP_IPV6:
@echo '\n======== $@ ========'
@echo 'IPv6 IPsec input does not filter enc0 interface with pf. Echo'
@echo 'request does not create state and echo reply does not pass pf.'
@echo DISABLED
-run-regress-tcp-IPS_${sec}_TRANSP_IPV6:
+run-regress-tcp-IPS_ESP_TRANSP_IPV6:
@echo '\n======== $@ ========'
@echo 'IPv6 IPsec input does not filter enc0 interface with pf. TCP'
@echo 'SYN does not create state and SYN+ACK does not pass pf.'
@echo DISABLED
+.for sec in ESP AH IPIP
+
.for host mode in SRC TRANSP SRC TUNNEL \
IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \
ECO TUNNEL4 ECO TUNNEL6
.for ping ipv in ping IPV4 ping6 IPV6
TARGETS += ping-${host}_${sec}_${mode}_${ipv}
+ping ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\
+ run-regress-ping-${host}_${sec}_${mode}_${ipv}
run-regress-ping-${host}_${sec}_${mode}_${ipv}:
@echo '\n======== $@ ========'
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out
+ netstat -s -p ${sec:L:S/ipip/ipencap/} |\
+ awk '/input ${sec} /{print $$1}' >pkt.in
+ netstat -s -p ${sec:L:S/ipip/ipencap/} |\
+ awk '/output ${sec} /{print $$1}' >pkt.out
${ping} -n -c 1 -w 2 ${${host}_${sec}_${mode}_${ipv}}
.if "${host}" != SRC
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-1}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} |\
+ awk '/input ${sec} /{print $$1-1}' |\
diff pkt.in -
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-1}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} |\
+ awk '/output ${sec} /{print $$1-1}' |\
diff pkt.out -
.endif
.endfor
@@ -205,27 +224,31 @@ run-regress-ping-${host}_${sec}_${mode}_${ipv}:
ECO TUNNEL4 ECO TUNNEL6
.for ipv in IPV4 IPV6
TARGETS += udp-${host}_${sec}_${mode}_${ipv}
+udp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\
+ run-regress-udp-${host}_${sec}_${mode}_${ipv}
run-regress-udp-${host}_${sec}_${mode}_${ipv}:
@echo '\n======== $@ ========'
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/input ${sec} /{print $$1}' >pkt.in
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/output ${sec} /{print $$1}' >pkt.out
echo $$$$ | nc -n -u -w 1 ${${host}_${sec}_${mode}_${ipv}} 7 |\
fgrep $$$$
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-1}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/input ${sec} /{print $$1-1}' |\
diff pkt.in -
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-1}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/output ${sec} /{print $$1-1}' |\
diff pkt.out -
TARGETS += tcp-${host}_${sec}_${mode}_${ipv}
+tcp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\
+ run-regress-tcp-${host}_${sec}_${mode}_${ipv}
run-regress-tcp-${host}_${sec}_${mode}_${ipv}:
@echo '\n======== $@ ========'
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1}' >pkt.in
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1}' >pkt.out
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/input ${sec} /{print $$1}' >pkt.in
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/output ${sec} /{print $$1}' >pkt.out
echo $$$$ | nc -n -N -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\
fgrep $$$$
- netstat -s -p ${sec:L} | awk '/input ${sec} /{print $$1-4}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/input ${sec} /{print $$1-4}' |\
diff pkt.in -
- netstat -s -p ${sec:L} | awk '/output ${sec} /{print $$1-6}' |\
+ netstat -s -p ${sec:L:S/ipip/ipencap/} | awk '/output ${sec} /{print $$1-6}' |\
diff pkt.out -
.endfor
.endfor
@@ -251,7 +274,7 @@ etc/hostname.${SRC_OUT_IF}: Makefile
.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64
echo '${inet} alias ${SRC_OUT_${ipv}} ${masklen}' >>$@.tmp
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## SRC_${sec}' >>$@.tmp
.for mode in TRANSP TUNNEL
echo '# SRC_${sec}_${mode}' >>$@.tmp
@@ -295,7 +318,7 @@ ${IPS_SSH}/hostname.${IPS_IN_IF}: Makefile
.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64
echo '${inet} alias ${IPS_IN_${ipv}} ${masklen}' >>$@.tmp
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## IPS_${sec}' >>$@.tmp
echo '# IPS_${sec}_TRANSP' >>$@.tmp
.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64
@@ -333,7 +356,7 @@ ${IPS_SSH}/hostname.${IPS_OUT_IF}: Makefile
echo '!route add -${inet} ${ECO_IN_${ipv}}/${pfxlen} ${RT_IN_${ipv}}'\
>>$@.tmp
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## IPS_${sec}' >>$@.tmp
.for mode in TUNNEL4 TUNNEL6
echo '# IPS_${sec}_${mode}' >>$@.tmp
@@ -369,7 +392,7 @@ ${RT_SSH}/hostname.${RT_IN_IF}: Makefile
echo '!route add -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\
${IPS_OUT_${ipv}} >>$@.tmp
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## IPS_${sec}' >>$@.tmp
.for mode in TUNNEL
echo '# SRC_${mode}/pfxlen IPS_OUT' >>$@.tmp
@@ -392,7 +415,7 @@ ${RT_SSH}/hostname.${RT_OUT_IF}: Makefile
.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64
echo '${inet} alias ${RT_OUT_${ipv}} ${masklen}' >>$@.tmp
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## IPS_${sec}' >>$@.tmp
.for mode in TUNNEL4 TUNNEL6
echo '# ECO_${sec}_${mode}/pfxlen ECO_IN' >>$@.tmp
@@ -424,7 +447,7 @@ ${ECO_SSH}/hostname.${ECO_IN_IF}: Makefile
${RT_OUT_${ipv}}' >>$@.tmp
.endfor
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
echo '## IPS_${sec}' >>$@.tmp
.for mode in TUNNEL4 TUNNEL6
echo '# ECO_${sec}_${mode}' >>$@.tmp
@@ -486,7 +509,7 @@ check-setup-src:
fgrep -q 'gateway: ${IPS_IN_${ipv}}' \
# ${host}_${dir}_${ipv} IPS_IN_${ipv}
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
.for host mode in SRC TRANSP SRC TUNNEL
${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \
# ${host}_${sec}_${mode}_${ipv}
@@ -499,13 +522,16 @@ check-setup-src:
.endfor
.endfor
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
route -n get -inet ${IPS_${sec}_TRANSP_IPV4} |\
egrep -q 'flags: .*(CLONING|CLONED)' # IPS_${sec}_TRANSP_IPV4
route -n get -inet6 ${IPS_${sec}_TRANSP_IPV6} |\
fgrep -q 'gateway: ${IPS_IN_IPV6}' \
# IPS_${sec}_TRANSP_IPV6 IPS_IN_IPV6
.endfor
+ sysctl net.inet.esp.enable | fgrep =1
+ sysctl net.inet.ah.enable | fgrep =1
+ sysctl net.inet.ipip.allow | fgrep =1
check-setup-ips:
@echo '\n======== $@ ========'
@@ -523,7 +549,7 @@ check-setup-ips:
fgrep -q 'gateway: ${RT_IN_${ipv}}' \
# ${host}_${dir}_${ipv} RT_IN_${ipv}
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6
ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \
# ${host}_${sec}_${mode}_${ipv}
@@ -547,13 +573,16 @@ check-setup-ips:
.endfor
ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 '
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
ssh ${IPS_SSH} route -n get -inet ${SRC_${sec}_TRANSP_IPV4} |\
egrep -q 'flags: .*(CLONING|CLONED)' # SRC_${sec}_TRANSP_IPV4
ssh ${IPS_SSH} route -n get -inet6 ${SRC_${sec}_TRANSP_IPV6} |\
fgrep -q 'gateway: ${SRC_OUT_IPV6}' \
# SRC_${sec}_TRANSP_IPV6 SRC_OUT_IPV6
.endfor
+ ssh ${IPS_SSH} sysctl net.inet.esp.enable | fgrep =1
+ ssh ${IPS_SSH} sysctl net.inet.ah.enable | fgrep =1
+ ssh ${IPS_SSH} sysctl net.inet.ipip.allow | fgrep =1
check-setup-rt:
@echo '\n======== $@ ========'
@@ -571,7 +600,7 @@ check-setup-rt:
# ${host}_${dir}_${ipv} IPS_OUT_${ipv}
.endfor
ssh ${RT_SSH} ${ping} -n -c 1 ${ECO_IN_${ipv}} # ECO_IN_${ipv}
-.for sec in ESP AH
+.for sec in ESP AH IPIP
.for host mode in SRC TUNNEL
ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\
fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \
@@ -600,7 +629,7 @@ check-setup-eco:
fgrep -q 'gateway: ${RT_OUT_${ipv}}' \
# ${host}_${dir}_${ipv} RT_OUT_${ipv}
.endfor
-.for sec in ESP AH
+.for sec in ESP AH IPIP
.for host mode in ECO TUNNEL4 ECO TUNNEL6
ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \
# ${host}_${sec}_${mode}_${ipv}
diff --git a/regress/sys/netinet/ipsec/ipsec.conf b/regress/sys/netinet/ipsec/ipsec.conf
index 23d10368022..6ecbc5ad8c6 100644
--- a/regress/sys/netinet/ipsec/ipsec.conf
+++ b/regress/sys/netinet/ipsec/ipsec.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: ipsec.conf,v 1.3 2017/02/13 17:54:27 bluhm Exp $
+# $OpenBSD: ipsec.conf,v 1.4 2017/02/27 16:53:59 bluhm Exp $
### regress ipsec ipsec.conf
# Install symmetric config by exchanging local and peer keywords.
@@ -168,3 +168,76 @@ ah tunnel \
spi 0x10002861:0x10002862 \
authkey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef \
enckey 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+
+## IPIP
+
+# IPIP TRANSP
+
+flow ipip \
+ $FROM $SRC_IPIP_TRANSP_IPV4 $TO $IPS_IPIP_TRANSP_IPV4 \
+ $LOCAL $SRC_IPIP_TRANSP_IPV4 $PEER $IPS_IPIP_TRANSP_IPV4 \
+ type use
+flow ipip \
+ $FROM $SRC_IPIP_TRANSP_IPV6 $TO $IPS_IPIP_TRANSP_IPV6 \
+ $LOCAL $SRC_IPIP_TRANSP_IPV6 $PEER $IPS_IPIP_TRANSP_IPV6 \
+ type use
+
+# IPIP TRANSP SA
+
+ipip transport \
+ from $SRC_IPIP_TRANSP_IPV4 to $IPS_IPIP_TRANSP_IPV4 \
+ spi 0x10006441:0x10006442
+
+ipip transport \
+ from $SRC_IPIP_TRANSP_IPV6 to $IPS_IPIP_TRANSP_IPV6 \
+ spi 0x10006461:0x10006462
+
+# IPIP TUNNEL IPS
+
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV4/24 $TO $IPS_IPIP_TUNNEL4_IPV4/24 \
+ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \
+ type use
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV6/64 $TO $IPS_IPIP_TUNNEL4_IPV6/64 \
+ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \
+ type use
+
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV4/24 $TO $IPS_IPIP_TUNNEL6_IPV4/24 \
+ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \
+ type use
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV6/64 $TO $IPS_IPIP_TUNNEL6_IPV6/64 \
+ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \
+ type use
+
+# IPIP TUNNEL ECO
+
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV4/24 $TO $ECO_IPIP_TUNNEL4_IPV4/24 \
+ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \
+ type use
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV6/64 $TO $ECO_IPIP_TUNNEL4_IPV6/64 \
+ $LOCAL $SRC_OUT_IPV4 $PEER $IPS_IN_IPV4 \
+ type use
+
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV4/24 $TO $ECO_IPIP_TUNNEL6_IPV4/24 \
+ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \
+ type use
+flow ipip \
+ $FROM $SRC_IPIP_TUNNEL_IPV6/64 $TO $ECO_IPIP_TUNNEL6_IPV6/64 \
+ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \
+ type use
+
+# IPIP TUNNEL SA
+
+ipip tunnel \
+ from $SRC_OUT_IPV4 to $IPS_IN_IPV4 \
+ spi 0x10006841:0x10006842
+
+ipip tunnel \
+ from $SRC_OUT_IPV6 to $IPS_IN_IPV6 \
+ spi 0x10006861:0x10006862
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 18:27:35 +0000