1*f26b5d9dSknakahara# $NetBSD: t_ipsec_natt.sh,v 1.5 2020/06/05 03:24:58 knakahara Exp $ 299baf672Sknakahara# 399baf672Sknakahara# Copyright (c) 2018 Internet Initiative Japan Inc. 499baf672Sknakahara# All rights reserved. 599baf672Sknakahara# 699baf672Sknakahara# Redistribution and use in source and binary forms, with or without 799baf672Sknakahara# modification, are permitted provided that the following conditions 899baf672Sknakahara# are met: 999baf672Sknakahara# 1. Redistributions of source code must retain the above copyright 1099baf672Sknakahara# notice, this list of conditions and the following disclaimer. 1199baf672Sknakahara# 2. Redistributions in binary form must reproduce the above copyright 1299baf672Sknakahara# notice, this list of conditions and the following disclaimer in the 1399baf672Sknakahara# documentation and/or other materials provided with the distribution. 1499baf672Sknakahara# 1599baf672Sknakahara# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 1699baf672Sknakahara# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 1799baf672Sknakahara# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 1899baf672Sknakahara# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 1999baf672Sknakahara# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 2099baf672Sknakahara# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 2199baf672Sknakahara# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 2299baf672Sknakahara# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 2399baf672Sknakahara# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 2499baf672Sknakahara# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 2599baf672Sknakahara# POSSIBILITY OF SUCH DAMAGE. 2699baf672Sknakahara# 2799baf672Sknakahara 285eb3109aSknakaharaSOCK_LOCAL_A=unix://ipsec_natt_local_a 295eb3109aSknakaharaSOCK_LOCAL_B=unix://ipsec_natt_local_b 3099baf672SknakaharaSOCK_NAT=unix://ipsec_natt_nat 3199baf672SknakaharaSOCK_REMOTE=unix://ipsec_natt_remote 3299baf672SknakaharaBUS_LOCAL=./bus_ipsec_natt_local 3399baf672SknakaharaBUS_NAT=./bus_ipsec_natt_nat 3499baf672Sknakahara 3599baf672SknakaharaDEBUG=${DEBUG:-false} 3699baf672Sknakahara 3799baf672Sknakaharasetup_servers() 3899baf672Sknakahara{ 3999baf672Sknakahara 405eb3109aSknakahara rump_server_crypto_start $SOCK_LOCAL_A netipsec ipsec 415eb3109aSknakahara rump_server_crypto_start $SOCK_LOCAL_B netipsec ipsec 4299baf672Sknakahara rump_server_npf_start $SOCK_NAT 4399baf672Sknakahara rump_server_crypto_start $SOCK_REMOTE netipsec ipsec 445eb3109aSknakahara rump_server_add_iface $SOCK_LOCAL_A shmif0 $BUS_LOCAL 455eb3109aSknakahara rump_server_add_iface $SOCK_LOCAL_B shmif0 $BUS_LOCAL 4699baf672Sknakahara rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL 4799baf672Sknakahara rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT 4899baf672Sknakahara rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT 4999baf672Sknakahara} 5099baf672Sknakahara 5199baf672Sknakaharasetup_ipsecif() 5299baf672Sknakahara{ 5399baf672Sknakahara local sock=$1 5499baf672Sknakahara local ifid=$2 5599baf672Sknakahara local src_ip=$3 5699baf672Sknakahara local src_port=$4 5799baf672Sknakahara local dst_ip=$5 5899baf672Sknakahara local dst_port=$6 5999baf672Sknakahara local ipsecif_ip=$7 6099baf672Sknakahara local peer_ip=$8 6199baf672Sknakahara 6299baf672Sknakahara export RUMP_SERVER=$sock 63ce0ae1dfSozaki-r rump_server_add_iface $sock ipsec$ifid 6499baf672Sknakahara atf_check -s exit:0 rump.ifconfig ipsec$ifid link0 # enable NAT-T 6599baf672Sknakahara atf_check -s exit:0 rump.ifconfig ipsec$ifid tunnel ${src_ip},${src_port} ${dst_ip},${dst_port} 6699baf672Sknakahara atf_check -s exit:0 rump.ifconfig ipsec$ifid ${ipsecif_ip}/32 6799baf672Sknakahara atf_check -s exit:0 -o ignore \ 6899baf672Sknakahara rump.route -n add ${peer_ip}/32 $ipsecif_ip 6999baf672Sknakahara} 7099baf672Sknakahara 7199baf672Sknakaharaadd_sa() 7299baf672Sknakahara{ 7399baf672Sknakahara local sock=$1 7499baf672Sknakahara local proto=$2 7599baf672Sknakahara local algo_args="$3" 7699baf672Sknakahara local src_ip=$4 7799baf672Sknakahara local src_port=$5 7899baf672Sknakahara local dst_ip=$6 7999baf672Sknakahara local dst_port=$7 8099baf672Sknakahara local out_spi=$8 8199baf672Sknakahara local in_spi=$9 8299baf672Sknakahara local tmpfile=./tmp 8399baf672Sknakahara 8499baf672Sknakahara export RUMP_SERVER=$sock 8599baf672Sknakahara cat > $tmpfile <<-EOF 8699baf672Sknakahara add $src_ip [$src_port] $dst_ip [$dst_port] $proto $out_spi -m transport $algo_args; 8799baf672Sknakahara add $dst_ip [$dst_port] $src_ip [$src_port] $proto $in_spi -m transport $algo_args; 8899baf672Sknakahara EOF 8999baf672Sknakahara $DEBUG && cat $tmpfile 9099baf672Sknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 9199baf672Sknakahara # XXX it can be expired if $lifetime is very short 9299baf672Sknakahara #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 9399baf672Sknakahara} 9499baf672Sknakahara 9599baf672Sknakaharaprepare_file() 9699baf672Sknakahara{ 9799baf672Sknakahara local file=$1 9899baf672Sknakahara local data="0123456789" 9999baf672Sknakahara 10099baf672Sknakahara touch $file 10199baf672Sknakahara for i in `seq 1 512` 10299baf672Sknakahara do 10399baf672Sknakahara echo $data >> $file 10499baf672Sknakahara done 10599baf672Sknakahara} 10699baf672Sknakahara 10799baf672Sknakaharabuild_npf_conf() 10899baf672Sknakahara{ 10999baf672Sknakahara local outfile=$1 11099baf672Sknakahara local localnet=$2 11199baf672Sknakahara 11299baf672Sknakahara cat > $outfile <<-EOF 11399baf672Sknakahara set bpf.jit off 11499baf672Sknakahara \$int_if = inet4(shmif0) 11599baf672Sknakahara \$ext_if = inet4(shmif1) 11699baf672Sknakahara \$localnet = { $localnet } 11799baf672Sknakahara map \$ext_if dynamic \$localnet -> \$ext_if 11899baf672Sknakahara group "external" on \$ext_if { 11999baf672Sknakahara pass stateful out final all 12099baf672Sknakahara } 12199baf672Sknakahara group "internal" on \$int_if { 12299baf672Sknakahara block in all 12399baf672Sknakahara pass in final from \$localnet 12499baf672Sknakahara pass out final all 12599baf672Sknakahara } 12699baf672Sknakahara group default { 12799baf672Sknakahara pass final on lo0 all 12899baf672Sknakahara block all 12999baf672Sknakahara } 13099baf672Sknakahara EOF 13199baf672Sknakahara} 13299baf672Sknakahara 13399baf672SknakaharaPIDSFILE=./terminator.pids 13499baf672Sknakaharastart_natt_terminator() 13599baf672Sknakahara{ 13699baf672Sknakahara local sock=$1 13799baf672Sknakahara local ip=$2 13899baf672Sknakahara local port=$3 13999baf672Sknakahara local pidsfile=$4 14099baf672Sknakahara local backup=$RUMP_SERVER 14199baf672Sknakahara local pid= 14299baf672Sknakahara local terminator="$(atf_get_srcdir)/../ipsec/natt_terminator" 14399baf672Sknakahara 14499baf672Sknakahara export RUMP_SERVER=$sock 14599baf672Sknakahara 14699baf672Sknakahara env LD_PRELOAD=/usr/lib/librumphijack.so \ 14799baf672Sknakahara $terminator $ip $port & 14899baf672Sknakahara pid=$! 14999baf672Sknakahara if [ ! -f $PIDSFILE ]; then 15099baf672Sknakahara touch $PIDSFILE 15199baf672Sknakahara fi 15299baf672Sknakahara echo $pid >> $PIDSFILE 15399baf672Sknakahara 15499baf672Sknakahara $DEBUG && rump.netstat -a -f inet 15599baf672Sknakahara 15699baf672Sknakahara export RUMP_SERVER=$backup 15799baf672Sknakahara 15899baf672Sknakahara sleep 1 15999baf672Sknakahara} 16099baf672Sknakahara 16199baf672Sknakaharastop_natt_terminators() 16299baf672Sknakahara{ 16399baf672Sknakahara local pid= 16499baf672Sknakahara 16599baf672Sknakahara if [ ! -f $PIDSFILE ]; then 16699baf672Sknakahara return 16799baf672Sknakahara fi 16899baf672Sknakahara 16999baf672Sknakahara for pid in $(cat $PIDSFILE); do 17099baf672Sknakahara kill -9 $pid 17199baf672Sknakahara done 17299baf672Sknakahara rm -f $PIDSFILE 17399baf672Sknakahara} 17499baf672Sknakahara 17599baf672Sknakaharacheck_ping_packets() 17699baf672Sknakahara{ 17799baf672Sknakahara local sock=$1 17899baf672Sknakahara local bus=$2 17999baf672Sknakahara local from_ip=$3 18099baf672Sknakahara local to_ip=$4 18199baf672Sknakahara 18299baf672Sknakahara local outfile=./out.ping 18399baf672Sknakahara 18499baf672Sknakahara extract_new_packets $bus > $outfile 18599baf672Sknakahara 18699baf672Sknakahara export RUMP_SERVER=$sock 18799baf672Sknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $to_ip 18899baf672Sknakahara 18999baf672Sknakahara extract_new_packets $bus > $outfile 19099baf672Sknakahara $DEBUG && cat $outfile 19199baf672Sknakahara atf_check -s exit:0 \ 19299baf672Sknakahara -o match:"$from_ip > $to_ip: ICMP echo request" \ 19399baf672Sknakahara cat $outfile 19499baf672Sknakahara atf_check -s exit:0 \ 19599baf672Sknakahara -o match:"$to_ip > $from_ip: ICMP echo reply" \ 19699baf672Sknakahara cat $outfile 19799baf672Sknakahara} 19899baf672Sknakahara 19999baf672Sknakaharacheck_ping_packets_over_ipsecif() 20099baf672Sknakahara{ 20199baf672Sknakahara local sock=$1 20299baf672Sknakahara local bus=$2 20399baf672Sknakahara local to_ip=$3 20499baf672Sknakahara local nat_from_ip=$4 20599baf672Sknakahara local nat_from_port=$5 20699baf672Sknakahara local nat_to_ip=$6 20799baf672Sknakahara local nat_to_port=$7 20899baf672Sknakahara 20999baf672Sknakahara local outfile=./out.ping_over_ipsecif 21099baf672Sknakahara 21199baf672Sknakahara extract_new_packets $bus > $outfile 21299baf672Sknakahara 21399baf672Sknakahara export RUMP_SERVER=$sock 21499baf672Sknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 7 $to_ip 21599baf672Sknakahara 21699baf672Sknakahara # Check both ports and UDP encapsulation 21799baf672Sknakahara extract_new_packets $bus > $outfile 21899baf672Sknakahara $DEBUG && cat $outfile 21999baf672Sknakahara atf_check -s exit:0 \ 22099baf672Sknakahara -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 22199baf672Sknakahara cat $outfile 22299baf672Sknakahara atf_check -s exit:0 \ 22399baf672Sknakahara -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 22499baf672Sknakahara cat $outfile 22599baf672Sknakahara} 22699baf672Sknakahara 22799baf672Sknakaharacheck_tcp_com_prepare() 22899baf672Sknakahara{ 22999baf672Sknakahara local server_sock=$1 23099baf672Sknakahara local client_sock=$2 23199baf672Sknakahara local bus=$3 23299baf672Sknakahara local to_ip=$4 23399baf672Sknakahara local nat_from_ip=$5 23499baf672Sknakahara local nat_to_ip=$6 23599baf672Sknakahara 23699baf672Sknakahara local outfile=./out.prepare 23799baf672Sknakahara local file_send=./file.send.prepare 23899baf672Sknakahara local file_recv=./file.recv.prepare 23999baf672Sknakahara 24099baf672Sknakahara extract_new_packets $bus > $outfile 24199baf672Sknakahara 24299baf672Sknakahara start_nc_server $server_sock 4501 $file_recv ipv4 24399baf672Sknakahara 24499baf672Sknakahara prepare_file $file_send 24599baf672Sknakahara export RUMP_SERVER=$client_sock 24699baf672Sknakahara atf_check -s exit:0 $HIJACKING nc -w 3 $to_ip 4501 < $file_send 24799baf672Sknakahara atf_check -s exit:0 diff -q $file_send $file_recv 24899baf672Sknakahara extract_new_packets $bus > $outfile 24999baf672Sknakahara $DEBUG && cat $outfile 25099baf672Sknakahara atf_check -s exit:0 \ 25199baf672Sknakahara -o match:"${nat_from_ip}\.[0-9]+ > ${nat_to_ip}\.4501" \ 25299baf672Sknakahara cat $outfile 25399baf672Sknakahara atf_check -s exit:0 \ 25499baf672Sknakahara -o match:"${nat_to_ip}\.4501 > ${nat_from_ip}\.[0-9]+" \ 25599baf672Sknakahara cat $outfile 25699baf672Sknakahara 25799baf672Sknakahara stop_nc_server 25899baf672Sknakahara} 25999baf672Sknakahara 26099baf672Sknakaharacheck_tcp_com_over_ipsecif() 26199baf672Sknakahara{ 26299baf672Sknakahara local server_sock=$1 26399baf672Sknakahara local client_sock=$2 26499baf672Sknakahara local bus=$3 26599baf672Sknakahara local to_ip=$4 26699baf672Sknakahara local nat_from_ip=$5 26799baf672Sknakahara local nat_from_port=$6 26899baf672Sknakahara local nat_to_ip=$7 26999baf672Sknakahara local nat_to_port=$8 27099baf672Sknakahara 27199baf672Sknakahara local outfile=./out.ipsecif 27299baf672Sknakahara local file_send=./file.send.ipsecif 27399baf672Sknakahara local file_recv=./file.recv.ipsecif 27499baf672Sknakahara 27599baf672Sknakahara extract_new_packets $bus > $outfile 27699baf672Sknakahara 27799baf672Sknakahara start_nc_server $server_sock 4501 $file_recv ipv4 27899baf672Sknakahara prepare_file $file_send 27999baf672Sknakahara export RUMP_SERVER=$client_sock 28099baf672Sknakahara atf_check -s exit:0 -o ignore $HIJACKING nc -w 7 $to_ip 4501 < $file_send 28199baf672Sknakahara atf_check -s exit:0 diff -q $file_send $file_recv 28299baf672Sknakahara stop_nc_server 28399baf672Sknakahara 28499baf672Sknakahara # Check both ports and UDP encapsulation 28599baf672Sknakahara extract_new_packets $bus > $outfile 28699baf672Sknakahara $DEBUG && cat $outfile 28799baf672Sknakahara atf_check -s exit:0 \ 28899baf672Sknakahara -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 28999baf672Sknakahara cat $outfile 29099baf672Sknakahara atf_check -s exit:0 \ 29199baf672Sknakahara -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 29299baf672Sknakahara cat $outfile 29399baf672Sknakahara} 29499baf672Sknakahara 29599baf672Sknakaharatest_ipsecif_natt_transport() 29699baf672Sknakahara{ 29799baf672Sknakahara local algo=$1 2985eb3109aSknakahara local ip_local_a=192.168.0.2 2995eb3109aSknakahara local ip_local_b=192.168.0.3 30099baf672Sknakahara local ip_nat_local=192.168.0.1 30199baf672Sknakahara local ip_nat_remote=10.0.0.1 30299baf672Sknakahara local ip_remote=10.0.0.2 30399baf672Sknakahara local subnet_local=192.168.0.0 3045eb3109aSknakahara local ip_local_ipsecif_a=172.16.100.1 3055eb3109aSknakahara local ip_local_ipsecif_b=172.16.110.1 3065eb3109aSknakahara local ip_remote_ipsecif_a=172.16.10.1 3075eb3109aSknakahara local ip_remote_ipsecif_b=172.16.11.1 30899baf672Sknakahara 30999baf672Sknakahara local npffile=./npf.conf 31099baf672Sknakahara local file_send=./file.send 31199baf672Sknakahara local algo_args="$(generate_algo_args esp-udp $algo)" 3125eb3109aSknakahara local pid= port_a= port_b= 31399baf672Sknakahara 31499baf672Sknakahara setup_servers 31599baf672Sknakahara 3165eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_A 31799baf672Sknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 3185eb3109aSknakahara atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_a/24 3195eb3109aSknakahara atf_check -s exit:0 -o ignore \ 3205eb3109aSknakahara rump.route -n add default $ip_nat_local 3215eb3109aSknakahara 3225eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_B 3235eb3109aSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 3245eb3109aSknakahara atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_b/24 32599baf672Sknakahara atf_check -s exit:0 -o ignore \ 32699baf672Sknakahara rump.route -n add default $ip_nat_local 32799baf672Sknakahara 32899baf672Sknakahara export RUMP_SERVER=$SOCK_NAT 32999baf672Sknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 33099baf672Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 33199baf672Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 33299baf672Sknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 33399baf672Sknakahara 33499baf672Sknakahara export RUMP_SERVER=$SOCK_REMOTE 33599baf672Sknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 33699baf672Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 33799baf672Sknakahara atf_check -s exit:0 -o ignore \ 33899baf672Sknakahara rump.route -n add -net $subnet_local $ip_nat_remote 33999baf672Sknakahara 34099baf672Sknakahara # There is no NAT/NAPT. ping should just work. 3415eb3109aSknakahara check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_local_a $ip_remote 3425eb3109aSknakahara check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_local_b $ip_remote 34399baf672Sknakahara 34499baf672Sknakahara # Setup an NAPT with npf 34599baf672Sknakahara build_npf_conf $npffile "$subnet_local/24" 34699baf672Sknakahara 34799baf672Sknakahara export RUMP_SERVER=$SOCK_NAT 34899baf672Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 34999baf672Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl start 35099baf672Sknakahara $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 35199baf672Sknakahara 35299baf672Sknakahara # There is an NAPT. ping works but source IP/port are translated 3535eb3109aSknakahara check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_nat_remote $ip_remote 3545eb3109aSknakahara check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_nat_remote $ip_remote 35599baf672Sknakahara 35699baf672Sknakahara # Try TCP communications just in case 3575eb3109aSknakahara check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 3585eb3109aSknakahara $ip_remote $ip_nat_remote $ip_remote 3595eb3109aSknakahara check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ 36099baf672Sknakahara $ip_remote $ip_nat_remote $ip_remote 36199baf672Sknakahara 36299baf672Sknakahara # Launch a nc server as a terminator of NAT-T on outside the NAPT 36399baf672Sknakahara start_natt_terminator $SOCK_REMOTE $ip_remote 4500 36499baf672Sknakahara echo zzz > $file_send 36599baf672Sknakahara 3665eb3109aSknakahara #################### Test for primary ipsecif(4) NAT-T. 36799baf672Sknakahara 3685eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_A 36999baf672Sknakahara # Send a UDP packet to the remote server at port 4500 from the local 37099baf672Sknakahara # host of port 4500. This makes a mapping on the NAPT between them 37199baf672Sknakahara atf_check -s exit:0 $HIJACKING \ 37299baf672Sknakahara nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send 37399baf672Sknakahara # Launch a nc server as a terminator of NAT-T on inside the NAPT, 37499baf672Sknakahara # taking over port 4500 of the local host. 3755eb3109aSknakahara start_natt_terminator $SOCK_LOCAL_A $ip_local_a 4500 37699baf672Sknakahara 37799baf672Sknakahara # We need to keep the servers for NAT-T 37899baf672Sknakahara 3795eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_A 38099baf672Sknakahara $DEBUG && rump.netstat -na -f inet 38199baf672Sknakahara export RUMP_SERVER=$SOCK_REMOTE 38299baf672Sknakahara $DEBUG && rump.netstat -na -f inet 38399baf672Sknakahara 38499baf672Sknakahara # Get a translated port number from 4500 on the NAPT 38599baf672Sknakahara export RUMP_SERVER=$SOCK_NAT 38699baf672Sknakahara $DEBUG && $HIJACKING_NPF npfctl list 38799baf672Sknakahara # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 388*f26b5d9dSknakahara port_a=$(get_natt_port $ip_local_a $ip_nat_remote) 3895eb3109aSknakahara $DEBUG && echo port_a=$port_a 3905eb3109aSknakahara if [ -z "$port_a" ]; then 391c9e294b2Smartin atf_fail "Failed to get a translated port on NAPT" 39299baf672Sknakahara fi 39399baf672Sknakahara 39499baf672Sknakahara # Setup ESP-UDP ipsecif(4) for first client under NAPT 3955eb3109aSknakahara setup_ipsecif $SOCK_LOCAL_A 0 $ip_local_a 4500 $ip_remote 4500 \ 3965eb3109aSknakahara $ip_local_ipsecif_a $ip_remote_ipsecif_a 3975eb3109aSknakahara setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port_a \ 3985eb3109aSknakahara $ip_remote_ipsecif_a $ip_local_ipsecif_a 39999baf672Sknakahara 4005eb3109aSknakahara add_sa $SOCK_LOCAL_A "esp-udp" "$algo_args" \ 4015eb3109aSknakahara $ip_local_a 4500 $ip_remote 4500 10000 10001 40299baf672Sknakahara add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ 4035eb3109aSknakahara $ip_remote 4500 $ip_nat_remote $port_a 10001 10000 40499baf672Sknakahara 4055eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_A 40699baf672Sknakahara # ping should still work 40799baf672Sknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 40899baf672Sknakahara 40999baf672Sknakahara # Try ping over the ESP-UDP ipsecif(4) 4105eb3109aSknakahara check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 4115eb3109aSknakahara $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 41299baf672Sknakahara 41399baf672Sknakahara # Try TCP communications over the ESP-UDP ipsecif(4) 4145eb3109aSknakahara check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 4155eb3109aSknakahara $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 4165eb3109aSknakahara 4175eb3109aSknakahara #################### Test for secondary ipsecif(4) NAT-T. 4185eb3109aSknakahara 4195eb3109aSknakahara export RUMP_SERVER=$SOCK_REMOTE 4205eb3109aSknakahara $HIJACKING setkey -D 4215eb3109aSknakahara $HIJACKING setkey -DP 4225eb3109aSknakahara 4235eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_B 4245eb3109aSknakahara # Send a UDP packet to the remote server at port 4500 from the local 4255eb3109aSknakahara # host of port 4500. This makes a mapping on the NAPT between them 4265eb3109aSknakahara atf_check -s exit:0 $HIJACKING \ 4275eb3109aSknakahara nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send 4285eb3109aSknakahara # Launch a nc server as a terminator of NAT-T on inside the NAPT, 4295eb3109aSknakahara # taking over port 4500 of the local host. 4305eb3109aSknakahara start_natt_terminator $SOCK_LOCAL_B $ip_local_b 4500 4315eb3109aSknakahara 4325eb3109aSknakahara # We need to keep the servers for NAT-T 4335eb3109aSknakahara 4345eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_B 4355eb3109aSknakahara $DEBUG && rump.netstat -na -f inet 4365eb3109aSknakahara export RUMP_SERVER=$SOCK_REMOTE 4375eb3109aSknakahara $DEBUG && rump.netstat -na -f inet 4385eb3109aSknakahara 4395eb3109aSknakahara # Get a translated port number from 4500 on the NAPT 4405eb3109aSknakahara export RUMP_SERVER=$SOCK_NAT 4415eb3109aSknakahara $DEBUG && $HIJACKING_NPF npfctl list 4425eb3109aSknakahara # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 443*f26b5d9dSknakahara port_b=$(get_natt_port $ip_local_b $ip_nat_remote) 4445eb3109aSknakahara $DEBUG && echo port_b=$port_b 4455eb3109aSknakahara if [ -z "$port_b" ]; then 446c9e294b2Smartin atf_fail "Failed to get a translated port on NAPT" 4475eb3109aSknakahara fi 4485eb3109aSknakahara 4495eb3109aSknakahara # Setup ESP-UDP ipsecif(4) for first client under NAPT 4505eb3109aSknakahara setup_ipsecif $SOCK_LOCAL_B 0 $ip_local_b 4500 $ip_remote 4500 \ 4515eb3109aSknakahara $ip_local_ipsecif_b $ip_remote_ipsecif_b 4525eb3109aSknakahara setup_ipsecif $SOCK_REMOTE 1 $ip_remote 4500 $ip_nat_remote $port_b \ 4535eb3109aSknakahara $ip_remote_ipsecif_b $ip_local_ipsecif_b 4545eb3109aSknakahara 4555eb3109aSknakahara check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 4565eb3109aSknakahara $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 4575eb3109aSknakahara 4585eb3109aSknakahara add_sa $SOCK_LOCAL_B "esp-udp" "$algo_args" \ 4595eb3109aSknakahara $ip_local_b 4500 $ip_remote 4500 11000 11001 4605eb3109aSknakahara add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ 4615eb3109aSknakahara $ip_remote 4500 $ip_nat_remote $port_b 11001 11000 4625eb3109aSknakahara 4635eb3109aSknakahara export RUMP_SERVER=$SOCK_LOCAL_B 4645eb3109aSknakahara # ping should still work 4655eb3109aSknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 4665eb3109aSknakahara 4675eb3109aSknakahara # Try ping over the ESP-UDP ipsecif(4) 4685eb3109aSknakahara check_ping_packets_over_ipsecif $SOCK_LOCAL_B $BUS_NAT \ 4695eb3109aSknakahara $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 4705eb3109aSknakahara 4715eb3109aSknakahara 4725eb3109aSknakahara # Try TCP communications over the ESP-UDP ipsecif(4) 4735eb3109aSknakahara check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ 4745eb3109aSknakahara $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 4755eb3109aSknakahara 4765eb3109aSknakahara # Try ping over the ESP-UDP ipsecif(4) for primary again 4775eb3109aSknakahara check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ 4785eb3109aSknakahara $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 4795eb3109aSknakahara 4805eb3109aSknakahara # Try TCP communications over the ESP-UDP ipsecif(4) for primary again 4815eb3109aSknakahara check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ 4825eb3109aSknakahara $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 48399baf672Sknakahara 48499baf672Sknakahara # Kill the NAT-T terminator 48599baf672Sknakahara stop_natt_terminators 48699baf672Sknakahara} 48799baf672Sknakahara 48899baf672Sknakaharaadd_test_ipsecif_natt_transport() 48999baf672Sknakahara{ 49099baf672Sknakahara local algo=$1 49199baf672Sknakahara local _algo=$(echo $algo | sed 's/-//g') 49299baf672Sknakahara local name= desc= 49399baf672Sknakahara 49499baf672Sknakahara desc="Test ipsecif(4) NAT-T ($algo)" 49599baf672Sknakahara name="ipsecif_natt_transport_${_algo}" 49699baf672Sknakahara 49799baf672Sknakahara atf_test_case ${name} cleanup 49899baf672Sknakahara eval " 49999baf672Sknakahara ${name}_head() { 50099baf672Sknakahara atf_set descr \"$desc\" 50199baf672Sknakahara atf_set require.progs rump_server setkey nc 50299baf672Sknakahara } 50399baf672Sknakahara ${name}_body() { 50499baf672Sknakahara test_ipsecif_natt_transport $algo 50599baf672Sknakahara rump_server_destroy_ifaces 50699baf672Sknakahara } 50799baf672Sknakahara ${name}_cleanup() { 50899baf672Sknakahara stop_nc_server 50999baf672Sknakahara stop_natt_terminators 51099baf672Sknakahara \$DEBUG && dump 51199baf672Sknakahara cleanup 51299baf672Sknakahara } 51399baf672Sknakahara " 51499baf672Sknakahara atf_add_test_case ${name} 51599baf672Sknakahara} 51699baf672Sknakahara 51799baf672Sknakaharaatf_init_test_cases() 51899baf672Sknakahara{ 51999baf672Sknakahara local algo= 52099baf672Sknakahara 52199baf672Sknakahara for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 52299baf672Sknakahara add_test_ipsecif_natt_transport $algo 52399baf672Sknakahara done 52499baf672Sknakahara} 525