1*57870677Sknakahara# $NetBSD: t_ipsec.sh,v 1.11 2020/08/05 01:10:50 knakahara Exp $ 2b8f54fc7Sknakahara# 3b8f54fc7Sknakahara# Copyright (c) 2017 Internet Initiative Japan Inc. 4b8f54fc7Sknakahara# All rights reserved. 5b8f54fc7Sknakahara# 6b8f54fc7Sknakahara# Redistribution and use in source and binary forms, with or without 7b8f54fc7Sknakahara# modification, are permitted provided that the following conditions 8b8f54fc7Sknakahara# are met: 9b8f54fc7Sknakahara# 1. Redistributions of source code must retain the above copyright 10b8f54fc7Sknakahara# notice, this list of conditions and the following disclaimer. 11b8f54fc7Sknakahara# 2. Redistributions in binary form must reproduce the above copyright 12b8f54fc7Sknakahara# notice, this list of conditions and the following disclaimer in the 13b8f54fc7Sknakahara# documentation and/or other materials provided with the distribution. 14b8f54fc7Sknakahara# 15b8f54fc7Sknakahara# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16b8f54fc7Sknakahara# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17b8f54fc7Sknakahara# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18b8f54fc7Sknakahara# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19b8f54fc7Sknakahara# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20b8f54fc7Sknakahara# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21b8f54fc7Sknakahara# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22b8f54fc7Sknakahara# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23b8f54fc7Sknakahara# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24b8f54fc7Sknakahara# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25b8f54fc7Sknakahara# POSSIBILITY OF SUCH DAMAGE. 26b8f54fc7Sknakahara# 27b8f54fc7Sknakahara 28b8f54fc7SknakaharaSOCK1=unix://commsock1 # for ROUTER1 29b8f54fc7SknakaharaSOCK2=unix://commsock2 # for ROUTER2 30b8f54fc7SknakaharaROUTER1_LANIP=192.168.1.1 31b8f54fc7SknakaharaROUTER1_LANNET=192.168.1.0/24 32b8f54fc7SknakaharaROUTER1_WANIP=10.0.0.1 33b8f54fc7SknakaharaROUTER1_IPSECIP=172.16.1.1 34b8f54fc7SknakaharaROUTER1_WANIP_DUMMY=10.0.0.11 35b8f54fc7SknakaharaROUTER1_IPSECIP_DUMMY=172.16.11.1 36b8f54fc7SknakaharaROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 37b8f54fc7SknakaharaROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 38b8f54fc7SknakaharaROUTER2_LANIP=192.168.2.1 39b8f54fc7SknakaharaROUTER2_LANNET=192.168.2.0/24 40b8f54fc7SknakaharaROUTER2_WANIP=10.0.0.2 41b8f54fc7SknakaharaROUTER2_IPSECIP=172.16.2.1 42b8f54fc7SknakaharaROUTER2_WANIP_DUMMY=10.0.0.12 43b8f54fc7SknakaharaROUTER2_IPSECIP_DUMMY=172.16.12.1 44b8f54fc7SknakaharaROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 45b8f54fc7SknakaharaROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 46b8f54fc7Sknakahara 47b8f54fc7SknakaharaROUTER1_LANIP6=fc00:1::1 48b8f54fc7SknakaharaROUTER1_LANNET6=fc00:1::/64 49b8f54fc7SknakaharaROUTER1_WANIP6=fc00::1 50b8f54fc7SknakaharaROUTER1_IPSECIP6=fc00:3::1 51b8f54fc7SknakaharaROUTER1_WANIP6_DUMMY=fc00::11 52b8f54fc7SknakaharaROUTER1_IPSECIP6_DUMMY=fc00:13::1 53b8f54fc7SknakaharaROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 54b8f54fc7SknakaharaROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 55b8f54fc7SknakaharaROUTER2_LANIP6=fc00:2::1 56b8f54fc7SknakaharaROUTER2_LANNET6=fc00:2::/64 57b8f54fc7SknakaharaROUTER2_WANIP6=fc00::2 58b8f54fc7SknakaharaROUTER2_IPSECIP6=fc00:4::1 59b8f54fc7SknakaharaROUTER2_WANIP6_DUMMY=fc00::12 60b8f54fc7SknakaharaROUTER2_IPSECIP6_DUMMY=fc00:14::1 61b8f54fc7SknakaharaROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 62b8f54fc7SknakaharaROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 63b8f54fc7Sknakahara 64b8f54fc7SknakaharaDEBUG=${DEBUG:-false} 652127b06fSknakaharaTIMEOUT=7 66b8f54fc7Sknakahara 6795dd9007Sozaki-ratf_test_case ipsecif_create_destroy cleanup 6895dd9007Sozaki-ripsecif_create_destroy_head() 6995dd9007Sozaki-r{ 7095dd9007Sozaki-r 7195dd9007Sozaki-r atf_set "descr" "Test creating/destroying gif interfaces" 7295dd9007Sozaki-r atf_set "require.progs" "rump_server" 7395dd9007Sozaki-r} 7495dd9007Sozaki-r 7595dd9007Sozaki-ripsecif_create_destroy_body() 7695dd9007Sozaki-r{ 7795dd9007Sozaki-r 7895dd9007Sozaki-r rump_server_start $SOCK1 ipsec 7995dd9007Sozaki-r 8095dd9007Sozaki-r test_create_destroy_common $SOCK1 ipsec0 8195dd9007Sozaki-r} 8295dd9007Sozaki-r 8395dd9007Sozaki-ripsecif_create_destroy_cleanup() 8495dd9007Sozaki-r{ 8595dd9007Sozaki-r 8695dd9007Sozaki-r $DEBUG && dump 8795dd9007Sozaki-r cleanup 8895dd9007Sozaki-r} 8995dd9007Sozaki-r 90b8f54fc7Sknakaharasetup_router() 91b8f54fc7Sknakahara{ 92b8f54fc7Sknakahara local sock=${1} 93b8f54fc7Sknakahara local lan=${2} 94b8f54fc7Sknakahara local lan_mode=${3} 95b8f54fc7Sknakahara local wan=${4} 96b8f54fc7Sknakahara local wan_mode=${5} 97b8f54fc7Sknakahara 98b8f54fc7Sknakahara rump_server_add_iface $sock shmif0 bus0 99b8f54fc7Sknakahara rump_server_add_iface $sock shmif1 bus1 100b8f54fc7Sknakahara 101b8f54fc7Sknakahara export RUMP_SERVER=${sock} 10206a59f7eSknakahara 10306a59f7eSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 10406a59f7eSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 10506a59f7eSknakahara 106b8f54fc7Sknakahara if [ ${lan_mode} = "ipv6" ]; then 107b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} 108b8f54fc7Sknakahara else 109b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 110b8f54fc7Sknakahara fi 111b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 up 112c037dbb2Sknakahara $DEBUG && rump.ifconfig shmif0 113b8f54fc7Sknakahara 114b8f54fc7Sknakahara if [ ${wan_mode} = "ipv6" ]; then 115b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} 116b8f54fc7Sknakahara else 117b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 118b8f54fc7Sknakahara fi 119b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 up 12006a59f7eSknakahara atf_check -s exit:0 rump.ifconfig -w 10 121c037dbb2Sknakahara $DEBUG && rump.ifconfig shmif1 1223a6c5e3fSknakahara 123b8f54fc7Sknakahara unset RUMP_SERVER 124b8f54fc7Sknakahara} 125b8f54fc7Sknakahara 126b8f54fc7Sknakaharatest_router() 127b8f54fc7Sknakahara{ 128b8f54fc7Sknakahara local sock=${1} 129b8f54fc7Sknakahara local lan=${2} 130b8f54fc7Sknakahara local lan_mode=${3} 131b8f54fc7Sknakahara local wan=${4} 132b8f54fc7Sknakahara local wan_mode=${5} 133b8f54fc7Sknakahara 134b8f54fc7Sknakahara export RUMP_SERVER=${sock} 135b8f54fc7Sknakahara atf_check -s exit:0 -o match:shmif0 rump.ifconfig 136b8f54fc7Sknakahara if [ ${lan_mode} = "ipv6" ]; then 137b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} 138b8f54fc7Sknakahara else 139b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 140b8f54fc7Sknakahara fi 141b8f54fc7Sknakahara 142b8f54fc7Sknakahara atf_check -s exit:0 -o match:shmif1 rump.ifconfig 143b8f54fc7Sknakahara if [ ${wan_mode} = "ipv6" ]; then 144b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} 145b8f54fc7Sknakahara else 146b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 147b8f54fc7Sknakahara fi 148b8f54fc7Sknakahara unset RUMP_SERVER 149b8f54fc7Sknakahara} 150b8f54fc7Sknakahara 151b8f54fc7Sknakaharasetup() 152b8f54fc7Sknakahara{ 153b8f54fc7Sknakahara local inner=${1} 154b8f54fc7Sknakahara local outer=${2} 155b8f54fc7Sknakahara 156b8f54fc7Sknakahara rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec 157b8f54fc7Sknakahara rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec 158b8f54fc7Sknakahara 159b8f54fc7Sknakahara router1_lan="" 160b8f54fc7Sknakahara router1_lan_mode="" 161b8f54fc7Sknakahara router2_lan="" 162b8f54fc7Sknakahara router2_lan_mode="" 163b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 164b8f54fc7Sknakahara router1_lan=$ROUTER1_LANIP6 165b8f54fc7Sknakahara router1_lan_mode="ipv6" 166b8f54fc7Sknakahara router2_lan=$ROUTER2_LANIP6 167b8f54fc7Sknakahara router2_lan_mode="ipv6" 168b8f54fc7Sknakahara else 169b8f54fc7Sknakahara router1_lan=$ROUTER1_LANIP 170b8f54fc7Sknakahara router1_lan_mode="ipv4" 171b8f54fc7Sknakahara router2_lan=$ROUTER2_LANIP 172b8f54fc7Sknakahara router2_lan_mode="ipv4" 173b8f54fc7Sknakahara fi 174b8f54fc7Sknakahara 175b8f54fc7Sknakahara if [ ${outer} = "ipv6" ]; then 176b8f54fc7Sknakahara setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 177b8f54fc7Sknakahara $ROUTER1_WANIP6 ipv6 178b8f54fc7Sknakahara setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 179b8f54fc7Sknakahara $ROUTER2_WANIP6 ipv6 180b8f54fc7Sknakahara else 181b8f54fc7Sknakahara setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 182b8f54fc7Sknakahara $ROUTER1_WANIP ipv4 183b8f54fc7Sknakahara setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 184b8f54fc7Sknakahara $ROUTER2_WANIP ipv4 185b8f54fc7Sknakahara fi 186b8f54fc7Sknakahara} 187b8f54fc7Sknakahara 188b8f54fc7Sknakaharatest_setup() 189b8f54fc7Sknakahara{ 190b8f54fc7Sknakahara local inner=${1} 191b8f54fc7Sknakahara local outer=${2} 192b8f54fc7Sknakahara 193b8f54fc7Sknakahara local router1_lan="" 194b8f54fc7Sknakahara local router1_lan_mode="" 195b8f54fc7Sknakahara local router2_lan="" 196b8f54fc7Sknakahara local router2_lan_mode="" 197b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 198b8f54fc7Sknakahara router1_lan=$ROUTER1_LANIP6 199b8f54fc7Sknakahara router1_lan_mode="ipv6" 200b8f54fc7Sknakahara router2_lan=$ROUTER2_LANIP6 201b8f54fc7Sknakahara router2_lan_mode="ipv6" 202b8f54fc7Sknakahara else 203b8f54fc7Sknakahara router1_lan=$ROUTER1_LANIP 204b8f54fc7Sknakahara router1_lan_mode="ipv4" 205b8f54fc7Sknakahara router2_lan=$ROUTER2_LANIP 206b8f54fc7Sknakahara router2_lan_mode="ipv4" 207b8f54fc7Sknakahara fi 208b8f54fc7Sknakahara if [ ${outer} = "ipv6" ]; then 209b8f54fc7Sknakahara test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 210b8f54fc7Sknakahara $ROUTER1_WANIP6 ipv6 211b8f54fc7Sknakahara test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 212b8f54fc7Sknakahara $ROUTER2_WANIP6 ipv6 213b8f54fc7Sknakahara else 214b8f54fc7Sknakahara test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 215b8f54fc7Sknakahara $ROUTER1_WANIP ipv4 216b8f54fc7Sknakahara test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 217b8f54fc7Sknakahara $ROUTER2_WANIP ipv4 218b8f54fc7Sknakahara fi 219b8f54fc7Sknakahara} 220b8f54fc7Sknakahara 221b8f54fc7Sknakaharaget_if_ipsec_unique() 222b8f54fc7Sknakahara{ 223b8f54fc7Sknakahara local sock=${1} 224b8f54fc7Sknakahara local src=${2} 225b8f54fc7Sknakahara local proto=${3} 226b8f54fc7Sknakahara local unique="" 227b8f54fc7Sknakahara 228b8f54fc7Sknakahara export RUMP_SERVER=${sock} 229b8f54fc7Sknakahara unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 230b8f54fc7Sknakahara unset RUMP_SERVER 231b8f54fc7Sknakahara 232b8f54fc7Sknakahara echo $unique 233b8f54fc7Sknakahara} 234b8f54fc7Sknakahara 235b8f54fc7Sknakaharasetup_if_ipsec() 236b8f54fc7Sknakahara{ 237b8f54fc7Sknakahara local sock=${1} 238b8f54fc7Sknakahara local addr=${2} 239b8f54fc7Sknakahara local remote=${3} 240b8f54fc7Sknakahara local inner=${4} 241b8f54fc7Sknakahara local src=${5} 242b8f54fc7Sknakahara local dst=${6} 243b8f54fc7Sknakahara local peernet=${7} 244b8f54fc7Sknakahara 245b8f54fc7Sknakahara export RUMP_SERVER=${sock} 246ce0ae1dfSozaki-r rump_server_add_iface $sock ipsec0 247b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} 248b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 249b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} 250b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} 251b8f54fc7Sknakahara else 252b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} 253b8f54fc7Sknakahara atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} 254b8f54fc7Sknakahara fi 255b8f54fc7Sknakahara 25606a59f7eSknakahara atf_check -s exit:0 rump.ifconfig -w 10 25706a59f7eSknakahara 258c037dbb2Sknakahara $DEBUG && rump.ifconfig ipsec0 259c037dbb2Sknakahara $DEBUG && rump.route -nL show 260b8f54fc7Sknakahara} 261b8f54fc7Sknakahara 262b8f54fc7Sknakaharasetup_if_ipsec_sa() 263b8f54fc7Sknakahara{ 264b8f54fc7Sknakahara local sock=${1} 265b8f54fc7Sknakahara local src=${2} 266b8f54fc7Sknakahara local dst=${3} 267b8f54fc7Sknakahara local mode=${4} 268b8f54fc7Sknakahara local proto=${5} 269b8f54fc7Sknakahara local algo=${6} 270b8f54fc7Sknakahara local dir=${7} 271b8f54fc7Sknakahara 272b8f54fc7Sknakahara local tmpfile=./tmp 273b8f54fc7Sknakahara local inunique="" 274b8f54fc7Sknakahara local outunique="" 275b8f54fc7Sknakahara local inid="" 276b8f54fc7Sknakahara local outid="" 277b8f54fc7Sknakahara local algo_args="$(generate_algo_args $proto $algo)" 278b8f54fc7Sknakahara 279b8f54fc7Sknakahara inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 280a0d17a17Sknakahara atf_check -s exit:0 test "X$inunique" != "X" 281b8f54fc7Sknakahara outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 282a0d17a17Sknakahara atf_check -s exit:0 test "X$outunique" != "X" 283b8f54fc7Sknakahara 284b8f54fc7Sknakahara if [ ${dir} = "1to2" ] ; then 285b8f54fc7Sknakahara if [ ${mode} = "ipv6" ] ; then 286b8f54fc7Sknakahara inid="10010" 287b8f54fc7Sknakahara outid="10011" 288b8f54fc7Sknakahara else 289b8f54fc7Sknakahara inid="10000" 290b8f54fc7Sknakahara outid="10001" 291b8f54fc7Sknakahara fi 292b8f54fc7Sknakahara else 293b8f54fc7Sknakahara if [ ${mode} = "ipv6" ] ; then 294b8f54fc7Sknakahara inid="10011" 295b8f54fc7Sknakahara outid="10010" 296b8f54fc7Sknakahara else 297b8f54fc7Sknakahara inid="10001" 298b8f54fc7Sknakahara outid="10000" 299b8f54fc7Sknakahara fi 300b8f54fc7Sknakahara fi 301b8f54fc7Sknakahara 302b8f54fc7Sknakahara cat > $tmpfile <<-EOF 303*57870677Sknakahara add $dst $src $proto $inid -u $inunique -m transport $algo_args; 304*57870677Sknakahara add $src $dst $proto $outid -u $outunique -m transport $algo_args; 305b8f54fc7Sknakahara EOF 306b8f54fc7Sknakahara $DEBUG && cat $tmpfile 307b8f54fc7Sknakahara export RUMP_SERVER=$sock 308b8f54fc7Sknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 309b8f54fc7Sknakahara $DEBUG && $HIJACKING setkey -D 310b8f54fc7Sknakahara $DEBUG && $HIJACKING setkey -DP 311b8f54fc7Sknakahara unset RUMP_SERVER 312b8f54fc7Sknakahara} 313b8f54fc7Sknakahara 314b8f54fc7Sknakaharasetup_tunnel() 315b8f54fc7Sknakahara{ 316b8f54fc7Sknakahara local inner=${1} 317b8f54fc7Sknakahara local outer=${2} 318b8f54fc7Sknakahara local proto=${3} 319b8f54fc7Sknakahara local algo=${4} 320b8f54fc7Sknakahara 321b8f54fc7Sknakahara local addr="" 322b8f54fc7Sknakahara local remote="" 323b8f54fc7Sknakahara local src="" 324b8f54fc7Sknakahara local dst="" 325b8f54fc7Sknakahara local peernet="" 326b8f54fc7Sknakahara 327b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 328b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP6 329b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP6 330b8f54fc7Sknakahara peernet=$ROUTER2_LANNET6 331b8f54fc7Sknakahara else 332b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP 333b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP 334b8f54fc7Sknakahara peernet=$ROUTER2_LANNET 335b8f54fc7Sknakahara fi 336b8f54fc7Sknakahara if [ ${outer} = "ipv6" ]; then 337b8f54fc7Sknakahara src=$ROUTER1_WANIP6 338b8f54fc7Sknakahara dst=$ROUTER2_WANIP6 339b8f54fc7Sknakahara else 340b8f54fc7Sknakahara src=$ROUTER1_WANIP 341b8f54fc7Sknakahara dst=$ROUTER2_WANIP 342b8f54fc7Sknakahara fi 343b8f54fc7Sknakahara setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 344b8f54fc7Sknakahara ${src} ${dst} ${peernet} 345b8f54fc7Sknakahara 346b8f54fc7Sknakahara if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 347b8f54fc7Sknakahara setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" 348b8f54fc7Sknakahara fi 349b8f54fc7Sknakahara setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 350b8f54fc7Sknakahara 351b8f54fc7Sknakahara if [ $inner = "ipv6" ]; then 352b8f54fc7Sknakahara addr=$ROUTER2_IPSECIP6 353b8f54fc7Sknakahara remote=$ROUTER1_IPSECIP6 354b8f54fc7Sknakahara peernet=$ROUTER1_LANNET6 355b8f54fc7Sknakahara else 356b8f54fc7Sknakahara addr=$ROUTER2_IPSECIP 357b8f54fc7Sknakahara remote=$ROUTER1_IPSECIP 358b8f54fc7Sknakahara peernet=$ROUTER1_LANNET 359b8f54fc7Sknakahara fi 360b8f54fc7Sknakahara if [ $outer = "ipv6" ]; then 361b8f54fc7Sknakahara src=$ROUTER2_WANIP6 362b8f54fc7Sknakahara dst=$ROUTER1_WANIP6 363b8f54fc7Sknakahara else 364b8f54fc7Sknakahara src=$ROUTER2_WANIP 365b8f54fc7Sknakahara dst=$ROUTER1_WANIP 366b8f54fc7Sknakahara fi 367b8f54fc7Sknakahara setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 368b8f54fc7Sknakahara ${src} ${dst} ${peernet} ${proto} ${algo} 369b8f54fc7Sknakahara if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 370b8f54fc7Sknakahara setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" 371b8f54fc7Sknakahara fi 372b8f54fc7Sknakahara setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 373b8f54fc7Sknakahara} 374b8f54fc7Sknakahara 375b8f54fc7Sknakaharatest_setup_tunnel() 376b8f54fc7Sknakahara{ 377b8f54fc7Sknakahara local mode=${1} 378b8f54fc7Sknakahara 379b8f54fc7Sknakahara local peernet="" 380b8f54fc7Sknakahara local opt="" 381b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 382b8f54fc7Sknakahara peernet=$ROUTER2_LANNET6 383b8f54fc7Sknakahara opt="-inet6" 384b8f54fc7Sknakahara else 385b8f54fc7Sknakahara peernet=$ROUTER2_LANNET 386b8f54fc7Sknakahara opt="-inet" 387b8f54fc7Sknakahara fi 388b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 389b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 390b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 391b8f54fc7Sknakahara 392b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 393b8f54fc7Sknakahara peernet=$ROUTER1_LANNET6 394b8f54fc7Sknakahara opt="-inet6" 395b8f54fc7Sknakahara else 396b8f54fc7Sknakahara peernet=$ROUTER1_LANNET 397b8f54fc7Sknakahara opt="-inet" 398b8f54fc7Sknakahara fi 399b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 400b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 401b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 402b8f54fc7Sknakahara} 403b8f54fc7Sknakahara 404b8f54fc7Sknakaharateardown_tunnel() 405b8f54fc7Sknakahara{ 406b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 407b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 408b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 destroy 409b8f54fc7Sknakahara $HIJACKING setkey -F 410b8f54fc7Sknakahara 411b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 412b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 413b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 destroy 414b8f54fc7Sknakahara $HIJACKING setkey -F 415b8f54fc7Sknakahara 416b8f54fc7Sknakahara unset RUMP_SERVER 417b8f54fc7Sknakahara} 418b8f54fc7Sknakahara 419b8f54fc7Sknakaharasetup_dummy_if_ipsec() 420b8f54fc7Sknakahara{ 421b8f54fc7Sknakahara local sock=${1} 422b8f54fc7Sknakahara local addr=${2} 423b8f54fc7Sknakahara local remote=${3} 424b8f54fc7Sknakahara local inner=${4} 425b8f54fc7Sknakahara local src=${5} 426b8f54fc7Sknakahara local dst=${6} 427b8f54fc7Sknakahara 428b8f54fc7Sknakahara export RUMP_SERVER=${sock} 429ce0ae1dfSozaki-r rump_server_add_iface $sock ipsec1 430b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} 431b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 432b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} 433b8f54fc7Sknakahara else 434b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} 435b8f54fc7Sknakahara fi 43606a59f7eSknakahara atf_check -s exit:0 rump.ifconfig -w 10 437b8f54fc7Sknakahara 438c037dbb2Sknakahara $DEBUG && rump.ifconfig ipsec1 439b8f54fc7Sknakahara unset RUMP_SERVER 440b8f54fc7Sknakahara} 441b8f54fc7Sknakahara 442b8f54fc7Sknakaharasetup_dummy_if_ipsec_sa() 443b8f54fc7Sknakahara{ 444b8f54fc7Sknakahara local sock=${1} 445b8f54fc7Sknakahara local src=${2} 446b8f54fc7Sknakahara local dst=${3} 447b8f54fc7Sknakahara local mode=${4} 448b8f54fc7Sknakahara local proto=${5} 449b8f54fc7Sknakahara local algo=${6} 450b8f54fc7Sknakahara local dir=${7} 451b8f54fc7Sknakahara 452b8f54fc7Sknakahara local tmpfile=./tmp 453b8f54fc7Sknakahara local inunique="" 454b8f54fc7Sknakahara local outunique="" 455b8f54fc7Sknakahara local inid="" 456b8f54fc7Sknakahara local outid="" 457b8f54fc7Sknakahara local algo_args="$(generate_algo_args $proto $algo)" 458b8f54fc7Sknakahara 459b8f54fc7Sknakahara inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 460a0d17a17Sknakahara atf_check -s exit:0 test "X$inunique" != "X" 461b8f54fc7Sknakahara outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 462a0d17a17Sknakahara atf_check -s exit:0 test "X$outunique" != "X" 463b8f54fc7Sknakahara 464b8f54fc7Sknakahara if [ ${dir} = "1to2" ] ; then 465b8f54fc7Sknakahara inid="20000" 466b8f54fc7Sknakahara outid="20001" 467b8f54fc7Sknakahara else 468b8f54fc7Sknakahara inid="20001" 469b8f54fc7Sknakahara outid="20000" 470b8f54fc7Sknakahara fi 471b8f54fc7Sknakahara 472b8f54fc7Sknakahara cat > $tmpfile <<-EOF 473b8f54fc7Sknakahara add $dst $src $proto $inid -u $inunique $algo_args; 474b8f54fc7Sknakahara add $src $dst $proto $outid -u $outunique $algo_args; 475b8f54fc7Sknakahara EOF 476b8f54fc7Sknakahara $DEBUG && cat $tmpfile 477b8f54fc7Sknakahara export RUMP_SERVER=$sock 478b8f54fc7Sknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 479b8f54fc7Sknakahara $DEBUG && $HIJACKING setkey -D 480b8f54fc7Sknakahara $DEBUG && $HIJACKING setkey -DP 481b8f54fc7Sknakahara unset RUMP_SERVER 482b8f54fc7Sknakahara} 483b8f54fc7Sknakahara 484b8f54fc7Sknakaharasetup_dummy_tunnel() 485b8f54fc7Sknakahara{ 486b8f54fc7Sknakahara local inner=${1} 487b8f54fc7Sknakahara local outer=${2} 488b8f54fc7Sknakahara local proto=${3} 489b8f54fc7Sknakahara local algo=${4} 490b8f54fc7Sknakahara 491b8f54fc7Sknakahara local addr="" 492b8f54fc7Sknakahara local remote="" 493b8f54fc7Sknakahara local src="" 494b8f54fc7Sknakahara local dst="" 495b8f54fc7Sknakahara 496b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 497b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP6_DUMMY 498b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP6_DUMMY 499b8f54fc7Sknakahara else 500b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP_DUMMY 501b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP_DUMMY 502b8f54fc7Sknakahara fi 503b8f54fc7Sknakahara if [ ${outer} = "ipv6" ]; then 504b8f54fc7Sknakahara src=$ROUTER1_WANIP6_DUMMY 505b8f54fc7Sknakahara dst=$ROUTER2_WANIP6_DUMMY 506b8f54fc7Sknakahara else 507b8f54fc7Sknakahara src=$ROUTER1_WANIP_DUMMY 508b8f54fc7Sknakahara dst=$ROUTER2_WANIP_DUMMY 509b8f54fc7Sknakahara fi 510b8f54fc7Sknakahara setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 511b8f54fc7Sknakahara ${src} ${dst} ${proto} ${algo} "1to2" 512b8f54fc7Sknakahara setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 513b8f54fc7Sknakahara 514b8f54fc7Sknakahara if [ $inner = "ipv6" ]; then 515b8f54fc7Sknakahara addr=$ROUTER2_IPSECIP6_DUMMY 516b8f54fc7Sknakahara remote=$ROUTER1_IPSECIP6_DUMMY 517b8f54fc7Sknakahara else 518b8f54fc7Sknakahara addr=$ROUTER2_IPSECIP_DUMMY 519b8f54fc7Sknakahara remote=$ROUTER1_IPSECIP_DUMMY 520b8f54fc7Sknakahara fi 521b8f54fc7Sknakahara if [ $outer = "ipv6" ]; then 522b8f54fc7Sknakahara src=$ROUTER2_WANIP6_DUMMY 523b8f54fc7Sknakahara dst=$ROUTER1_WANIP6_DUMMY 524b8f54fc7Sknakahara else 525b8f54fc7Sknakahara src=$ROUTER2_WANIP_DUMMY 526b8f54fc7Sknakahara dst=$ROUTER1_WANIP_DUMMY 527b8f54fc7Sknakahara fi 528b8f54fc7Sknakahara setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 529b8f54fc7Sknakahara ${src} ${dst} ${proto} ${algo} "2to1" 530b8f54fc7Sknakahara setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 531b8f54fc7Sknakahara} 532b8f54fc7Sknakahara 533b8f54fc7Sknakaharatest_setup_dummy_tunnel() 534b8f54fc7Sknakahara{ 535b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 536b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 537b8f54fc7Sknakahara 538b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 539b8f54fc7Sknakahara atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 540b8f54fc7Sknakahara 541b8f54fc7Sknakahara unset RUMP_SERVER 542b8f54fc7Sknakahara} 543b8f54fc7Sknakahara 544b8f54fc7Sknakaharateardown_dummy_tunnel() 545b8f54fc7Sknakahara{ 546b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 547b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 548b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 destroy 549b8f54fc7Sknakahara 550b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 551b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 552b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 destroy 553b8f54fc7Sknakahara 554b8f54fc7Sknakahara unset RUMP_SERVER 555b8f54fc7Sknakahara} 556b8f54fc7Sknakahara 557b8f54fc7Sknakaharasetup_recursive_if_ipsec() 558b8f54fc7Sknakahara{ 559b8f54fc7Sknakahara local sock=${1} 560b8f54fc7Sknakahara local ipsec=${2} 561b8f54fc7Sknakahara local addr=${3} 562b8f54fc7Sknakahara local remote=${4} 563b8f54fc7Sknakahara local inner=${5} 564b8f54fc7Sknakahara local src=${6} 565b8f54fc7Sknakahara local dst=${7} 566b8f54fc7Sknakahara local proto=${8} 567b8f54fc7Sknakahara local algo=${9} 568b8f54fc7Sknakahara local dir=${10} 569b8f54fc7Sknakahara 570b8f54fc7Sknakahara export RUMP_SERVER=${sock} 571ce0ae1dfSozaki-r rump_server_add_iface $sock $ipsec 572b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} 573b8f54fc7Sknakahara if [ ${inner} = "ipv6" ]; then 574b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} 575b8f54fc7Sknakahara else 576b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} 577b8f54fc7Sknakahara fi 57806a59f7eSknakahara atf_check -s exit:0 rump.ifconfig -w 10 579b8f54fc7Sknakahara setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} 580b8f54fc7Sknakahara 581b8f54fc7Sknakahara export RUMP_SERVER=${sock} 582c037dbb2Sknakahara $DEBUG && rump.ifconfig ${ipsec} 583b8f54fc7Sknakahara unset RUMP_SERVER 584b8f54fc7Sknakahara} 585b8f54fc7Sknakahara 586b8f54fc7Sknakahara# test in ROUTER1 only 587b8f54fc7Sknakaharasetup_recursive_tunnels() 588b8f54fc7Sknakahara{ 589b8f54fc7Sknakahara local mode=${1} 590b8f54fc7Sknakahara local proto=${2} 591b8f54fc7Sknakahara local algo=${3} 592b8f54fc7Sknakahara 593b8f54fc7Sknakahara local addr="" 594b8f54fc7Sknakahara local remote="" 595b8f54fc7Sknakahara local src="" 596b8f54fc7Sknakahara local dst="" 597b8f54fc7Sknakahara 598b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 599b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP6_RECURSIVE1 600b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP6_RECURSIVE1 601b8f54fc7Sknakahara src=$ROUTER1_IPSECIP6 602b8f54fc7Sknakahara dst=$ROUTER2_IPSECIP6 603b8f54fc7Sknakahara else 604b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP_RECURSIVE1 605b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP_RECURSIVE1 606b8f54fc7Sknakahara src=$ROUTER1_IPSECIP 607b8f54fc7Sknakahara dst=$ROUTER2_IPSECIP 608b8f54fc7Sknakahara fi 609b8f54fc7Sknakahara setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ 610b8f54fc7Sknakahara ${src} ${dst} ${proto} ${algo} "1to2" 611b8f54fc7Sknakahara 612b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 613b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP6_RECURSIVE2 614b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP6_RECURSIVE2 615b8f54fc7Sknakahara src=$ROUTER1_IPSECIP6_RECURSIVE1 616b8f54fc7Sknakahara dst=$ROUTER2_IPSECIP6_RECURSIVE1 617b8f54fc7Sknakahara else 618b8f54fc7Sknakahara addr=$ROUTER1_IPSECIP_RECURSIVE2 619b8f54fc7Sknakahara remote=$ROUTER2_IPSECIP_RECURSIVE2 620b8f54fc7Sknakahara src=$ROUTER1_IPSECIP_RECURSIVE1 621b8f54fc7Sknakahara dst=$ROUTER2_IPSECIP_RECURSIVE1 622b8f54fc7Sknakahara fi 623b8f54fc7Sknakahara setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ 624b8f54fc7Sknakahara ${src} ${dst} ${proto} ${algo} "1to2" 625b8f54fc7Sknakahara} 626b8f54fc7Sknakahara 627b8f54fc7Sknakahara# test in router1 only 628b8f54fc7Sknakaharatest_recursive_check() 629b8f54fc7Sknakahara{ 630b8f54fc7Sknakahara local mode=$1 631b8f54fc7Sknakahara 632b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 633b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 634b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 635b8f54fc7Sknakahara rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 636b8f54fc7Sknakahara else 637b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 638b8f54fc7Sknakahara rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 639b8f54fc7Sknakahara fi 640b8f54fc7Sknakahara 641b8f54fc7Sknakahara atf_check -o match:'ipsec0: recursively called too many times' \ 642b8f54fc7Sknakahara -x "$HIJACKING dmesg" 643b8f54fc7Sknakahara 644b8f54fc7Sknakahara $HIJACKING dmesg 645b8f54fc7Sknakahara 646b8f54fc7Sknakahara unset RUMP_SERVER 647b8f54fc7Sknakahara} 648b8f54fc7Sknakahara 649b8f54fc7Sknakaharateardown_recursive_tunnels() 650b8f54fc7Sknakahara{ 651b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 652b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 653b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec1 destroy 654b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel 655b8f54fc7Sknakahara atf_check -s exit:0 rump.ifconfig ipsec2 destroy 656b8f54fc7Sknakahara unset RUMP_SERVER 657b8f54fc7Sknakahara} 658b8f54fc7Sknakahara 659b8f54fc7Sknakaharatest_ping_failure() 660b8f54fc7Sknakahara{ 661b8f54fc7Sknakahara local mode=$1 662b8f54fc7Sknakahara 663b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 664b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 665b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 666b8f54fc7Sknakahara rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 667b8f54fc7Sknakahara $ROUTER2_LANIP6 668b8f54fc7Sknakahara else 669b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 670b8f54fc7Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 671b8f54fc7Sknakahara $ROUTER2_LANIP 672b8f54fc7Sknakahara fi 673b8f54fc7Sknakahara 674b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 675b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 676b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 677b8f54fc7Sknakahara rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 678b8f54fc7Sknakahara $ROUTER1_LANIP6 679b8f54fc7Sknakahara else 680b8f54fc7Sknakahara atf_check -s not-exit:0 -o ignore -e ignore \ 681b8f54fc7Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 682b8f54fc7Sknakahara $ROUTER2_LANIP 683b8f54fc7Sknakahara fi 684b8f54fc7Sknakahara 685b8f54fc7Sknakahara unset RUMP_SERVER 686b8f54fc7Sknakahara} 687b8f54fc7Sknakahara 688b8f54fc7Sknakaharatest_ping_success() 689b8f54fc7Sknakahara{ 690b8f54fc7Sknakahara mode=$1 691b8f54fc7Sknakahara 692b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 693c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 694b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 695b8f54fc7Sknakahara # XXX 696b8f54fc7Sknakahara # rump.ping6 rarely fails with the message that 697b8f54fc7Sknakahara # "failed to get receiving hop limit". 698b8f54fc7Sknakahara # This is a known issue being analyzed. 699b8f54fc7Sknakahara atf_check -s exit:0 -o ignore \ 700b8f54fc7Sknakahara rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 701b8f54fc7Sknakahara $ROUTER2_LANIP6 702b8f54fc7Sknakahara else 703b8f54fc7Sknakahara atf_check -s exit:0 -o ignore \ 704b8f54fc7Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 705b8f54fc7Sknakahara $ROUTER2_LANIP 706b8f54fc7Sknakahara fi 707c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 708b8f54fc7Sknakahara 709b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 710c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 711b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 712b8f54fc7Sknakahara atf_check -s exit:0 -o ignore \ 713b8f54fc7Sknakahara rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 714b8f54fc7Sknakahara $ROUTER1_LANIP6 715b8f54fc7Sknakahara else 716b8f54fc7Sknakahara atf_check -s exit:0 -o ignore \ 717b8f54fc7Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 718b8f54fc7Sknakahara $ROUTER1_LANIP 719b8f54fc7Sknakahara fi 720c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 721b8f54fc7Sknakahara 722b8f54fc7Sknakahara unset RUMP_SERVER 723b8f54fc7Sknakahara} 724b8f54fc7Sknakahara 725b8f54fc7Sknakaharatest_change_tunnel_duplicate() 726b8f54fc7Sknakahara{ 727b8f54fc7Sknakahara local mode=$1 728b8f54fc7Sknakahara 729b8f54fc7Sknakahara local newsrc="" 730b8f54fc7Sknakahara local newdst="" 731b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 732b8f54fc7Sknakahara newsrc=$ROUTER1_WANIP6_DUMMY 733b8f54fc7Sknakahara newdst=$ROUTER2_WANIP6_DUMMY 734b8f54fc7Sknakahara else 735b8f54fc7Sknakahara newsrc=$ROUTER1_WANIP_DUMMY 736b8f54fc7Sknakahara newdst=$ROUTER2_WANIP_DUMMY 737b8f54fc7Sknakahara fi 738b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 739c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 740c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec1 741b8f54fc7Sknakahara atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 742b8f54fc7Sknakahara rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 743c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 744c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec1 745b8f54fc7Sknakahara 746b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 747b8f54fc7Sknakahara newsrc=$ROUTER2_WANIP6_DUMMY 748b8f54fc7Sknakahara newdst=$ROUTER1_WANIP6_DUMMY 749b8f54fc7Sknakahara else 750b8f54fc7Sknakahara newsrc=$ROUTER2_WANIP_DUMMY 751b8f54fc7Sknakahara newdst=$ROUTER1_WANIP_DUMMY 752b8f54fc7Sknakahara fi 753b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 754c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 755c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec1 756b8f54fc7Sknakahara atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 757b8f54fc7Sknakahara rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 758c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 759c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec1 760b8f54fc7Sknakahara 761b8f54fc7Sknakahara unset RUMP_SERVER 762b8f54fc7Sknakahara} 763b8f54fc7Sknakahara 764b8f54fc7Sknakaharatest_change_tunnel_success() 765b8f54fc7Sknakahara{ 766b8f54fc7Sknakahara local mode=$1 767b8f54fc7Sknakahara 768b8f54fc7Sknakahara local newsrc="" 769b8f54fc7Sknakahara local newdst="" 770b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 771b8f54fc7Sknakahara newsrc=$ROUTER1_WANIP6_DUMMY 772b8f54fc7Sknakahara newdst=$ROUTER2_WANIP6_DUMMY 773b8f54fc7Sknakahara else 774b8f54fc7Sknakahara newsrc=$ROUTER1_WANIP_DUMMY 775b8f54fc7Sknakahara newdst=$ROUTER2_WANIP_DUMMY 776b8f54fc7Sknakahara fi 777b8f54fc7Sknakahara export RUMP_SERVER=$SOCK1 778c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 779b8f54fc7Sknakahara atf_check -s exit:0 \ 780b8f54fc7Sknakahara rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 781c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 782b8f54fc7Sknakahara 783b8f54fc7Sknakahara if [ ${mode} = "ipv6" ]; then 784b8f54fc7Sknakahara newsrc=$ROUTER2_WANIP6_DUMMY 785b8f54fc7Sknakahara newdst=$ROUTER1_WANIP6_DUMMY 786b8f54fc7Sknakahara else 787b8f54fc7Sknakahara newsrc=$ROUTER2_WANIP_DUMMY 788b8f54fc7Sknakahara newdst=$ROUTER1_WANIP_DUMMY 789b8f54fc7Sknakahara fi 790b8f54fc7Sknakahara export RUMP_SERVER=$SOCK2 791c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 792b8f54fc7Sknakahara atf_check -s exit:0 \ 793b8f54fc7Sknakahara rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 794c037dbb2Sknakahara $DEBUG && rump.ifconfig -v ipsec0 795b8f54fc7Sknakahara 796b8f54fc7Sknakahara unset RUMP_SERVER 797b8f54fc7Sknakahara} 798b8f54fc7Sknakahara 799b8f54fc7Sknakaharabasic_setup() 800b8f54fc7Sknakahara{ 801b8f54fc7Sknakahara local inner=$1 802b8f54fc7Sknakahara local outer=$2 803b8f54fc7Sknakahara local proto=$3 804b8f54fc7Sknakahara local algo=$4 805b8f54fc7Sknakahara 806b8f54fc7Sknakahara setup ${inner} ${outer} 807b8f54fc7Sknakahara test_setup ${inner} ${outer} 808b8f54fc7Sknakahara 809b8f54fc7Sknakahara # Enable once PR kern/49219 is fixed 810b8f54fc7Sknakahara #test_ping_failure 811b8f54fc7Sknakahara 812b8f54fc7Sknakahara setup_tunnel ${inner} ${outer} ${proto} ${algo} 813b8f54fc7Sknakahara sleep 1 814b8f54fc7Sknakahara test_setup_tunnel ${inner} 815b8f54fc7Sknakahara} 816b8f54fc7Sknakahara 817b8f54fc7Sknakaharabasic_test() 818b8f54fc7Sknakahara{ 819b8f54fc7Sknakahara local inner=$1 820b8f54fc7Sknakahara local outer=$2 # not use 821b8f54fc7Sknakahara 822b8f54fc7Sknakahara test_ping_success ${inner} 823b8f54fc7Sknakahara} 824b8f54fc7Sknakahara 825b8f54fc7Sknakaharabasic_teardown() 826b8f54fc7Sknakahara{ 827b8f54fc7Sknakahara local inner=$1 828b8f54fc7Sknakahara local outer=$2 # not use 829b8f54fc7Sknakahara 830b8f54fc7Sknakahara teardown_tunnel 831b8f54fc7Sknakahara test_ping_failure ${inner} 832b8f54fc7Sknakahara} 833b8f54fc7Sknakahara 834b8f54fc7Sknakaharaioctl_setup() 835b8f54fc7Sknakahara{ 836b8f54fc7Sknakahara local inner=$1 837b8f54fc7Sknakahara local outer=$2 838b8f54fc7Sknakahara local proto=$3 839b8f54fc7Sknakahara local algo=$4 840b8f54fc7Sknakahara 841b8f54fc7Sknakahara setup ${inner} ${outer} 842b8f54fc7Sknakahara test_setup ${inner} ${outer} 843b8f54fc7Sknakahara 844b8f54fc7Sknakahara # Enable once PR kern/49219 is fixed 845b8f54fc7Sknakahara #test_ping_failure 846b8f54fc7Sknakahara 847b8f54fc7Sknakahara setup_tunnel ${inner} ${outer} ${proto} ${algo} 848b8f54fc7Sknakahara setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} 849b8f54fc7Sknakahara sleep 1 850b8f54fc7Sknakahara test_setup_tunnel ${inner} 851b8f54fc7Sknakahara} 852b8f54fc7Sknakahara 853b8f54fc7Sknakaharaioctl_test() 854b8f54fc7Sknakahara{ 855b8f54fc7Sknakahara local inner=$1 856b8f54fc7Sknakahara local outer=$2 857b8f54fc7Sknakahara 858b8f54fc7Sknakahara test_ping_success ${inner} 859b8f54fc7Sknakahara 860b8f54fc7Sknakahara test_change_tunnel_duplicate ${outer} 861b8f54fc7Sknakahara 862b8f54fc7Sknakahara teardown_dummy_tunnel 863b8f54fc7Sknakahara test_change_tunnel_success ${outer} 864b8f54fc7Sknakahara} 865b8f54fc7Sknakahara 866b8f54fc7Sknakaharaioctl_teardown() 867b8f54fc7Sknakahara{ 868b8f54fc7Sknakahara local inner=$1 869b8f54fc7Sknakahara local outer=$2 # not use 870b8f54fc7Sknakahara 871b8f54fc7Sknakahara teardown_tunnel 872b8f54fc7Sknakahara test_ping_failure ${inner} 873b8f54fc7Sknakahara} 874b8f54fc7Sknakahara 875b8f54fc7Sknakahararecursive_setup() 876b8f54fc7Sknakahara{ 877b8f54fc7Sknakahara local inner=$1 878b8f54fc7Sknakahara local outer=$2 879b8f54fc7Sknakahara local proto=$3 880b8f54fc7Sknakahara local algo=$4 881b8f54fc7Sknakahara 882b8f54fc7Sknakahara setup ${inner} ${outer} 883b8f54fc7Sknakahara test_setup ${inner} ${outer} 884b8f54fc7Sknakahara 885b8f54fc7Sknakahara # Enable once PR kern/49219 is fixed 886b8f54fc7Sknakahara #test_ping_failure 887b8f54fc7Sknakahara 888b8f54fc7Sknakahara setup_tunnel ${inner} ${outer} ${proto} ${algo} 889b8f54fc7Sknakahara setup_recursive_tunnels ${inner} ${proto} ${algo} 890b8f54fc7Sknakahara sleep 1 891b8f54fc7Sknakahara test_setup_tunnel ${inner} 892b8f54fc7Sknakahara} 893b8f54fc7Sknakahara 894b8f54fc7Sknakahararecursive_test() 895b8f54fc7Sknakahara{ 896b8f54fc7Sknakahara local inner=$1 897b8f54fc7Sknakahara local outer=$2 # not use 898b8f54fc7Sknakahara 899b8f54fc7Sknakahara test_recursive_check ${inner} 900b8f54fc7Sknakahara} 901b8f54fc7Sknakahara 902b8f54fc7Sknakahararecursive_teardown() 903b8f54fc7Sknakahara{ 904b8f54fc7Sknakahara local inner=$1 # not use 905b8f54fc7Sknakahara local outer=$2 # not use 906b8f54fc7Sknakahara 907b8f54fc7Sknakahara teardown_recursive_tunnels 908b8f54fc7Sknakahara teardown_tunnel 909b8f54fc7Sknakahara} 910b8f54fc7Sknakahara 911b8f54fc7Sknakaharaadd_test() 912b8f54fc7Sknakahara{ 913b8f54fc7Sknakahara local category=$1 914b8f54fc7Sknakahara local desc=$2 915b8f54fc7Sknakahara local inner=$3 916b8f54fc7Sknakahara local outer=$4 917b8f54fc7Sknakahara local proto=$5 918b8f54fc7Sknakahara local algo=$6 919b8f54fc7Sknakahara local _algo=$(echo $algo | sed 's/-//g') 920b8f54fc7Sknakahara 92111f91074Sozaki-r name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" 922b8f54fc7Sknakahara fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" 923b8f54fc7Sknakahara 924b8f54fc7Sknakahara atf_test_case ${name} cleanup 925b8f54fc7Sknakahara eval "${name}_head() { 926b8f54fc7Sknakahara atf_set descr \"${fulldesc}\" 927b8f54fc7Sknakahara atf_set require.progs rump_server setkey 928b8f54fc7Sknakahara } 929b8f54fc7Sknakahara ${name}_body() { 930b8f54fc7Sknakahara ${category}_setup ${inner} ${outer} ${proto} ${algo} 931b8f54fc7Sknakahara ${category}_test ${inner} ${outer} 932b8f54fc7Sknakahara ${category}_teardown ${inner} ${outer} 933b8f54fc7Sknakahara rump_server_destroy_ifaces 934b8f54fc7Sknakahara } 935b8f54fc7Sknakahara ${name}_cleanup() { 936b8f54fc7Sknakahara \$DEBUG && dump 937b8f54fc7Sknakahara cleanup 938b8f54fc7Sknakahara }" 939b8f54fc7Sknakahara atf_add_test_case ${name} 940b8f54fc7Sknakahara} 941b8f54fc7Sknakahara 942b8f54fc7Sknakaharaadd_test_allproto() 943b8f54fc7Sknakahara{ 944b8f54fc7Sknakahara local category=$1 945b8f54fc7Sknakahara local desc=$2 946b8f54fc7Sknakahara 947b8f54fc7Sknakahara for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 948b8f54fc7Sknakahara add_test ${category} "${desc}" ipv4 ipv4 esp $algo 949b8f54fc7Sknakahara add_test ${category} "${desc}" ipv4 ipv6 esp $algo 950b8f54fc7Sknakahara add_test ${category} "${desc}" ipv6 ipv4 esp $algo 951b8f54fc7Sknakahara add_test ${category} "${desc}" ipv6 ipv6 esp $algo 952b8f54fc7Sknakahara done 953b8f54fc7Sknakahara 954b8f54fc7Sknakahara # ah does not support yet 955b8f54fc7Sknakahara} 956b8f54fc7Sknakahara 957b8f54fc7Sknakaharaatf_init_test_cases() 958b8f54fc7Sknakahara{ 95995dd9007Sozaki-r 96095dd9007Sozaki-r atf_add_test_case ipsecif_create_destroy 96195dd9007Sozaki-r 962b8f54fc7Sknakahara add_test_allproto basic "basic tests" 963b8f54fc7Sknakahara add_test_allproto ioctl "ioctl tests" 964b8f54fc7Sknakahara add_test_allproto recursive "recursive check tests" 965b8f54fc7Sknakahara} 966