xref: /netbsd-src/tests/net/ipsec/t_ipsec_l2tp.sh (revision 9b45ffed94eaa6c871bd36fc45e90d68e4dcda4a) 
1#	$NetBSD: t_ipsec_l2tp.sh,v 1.10 2023/08/22 05:40:50 rin Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_l2tp_local
29SOCK_TUN_LOCAL=unix://ipsec_l2tp_tunel_local
30SOCK_TUN_REMOTE=unix://ipsec_l2tp_tunnel_remote
31SOCK_REMOTE=unix://ipsec_l2tp_remote
32BUS_LOCAL=./bus_ipsec_local
33BUS_TUNNEL=./bus_ipsec_tunnel
34BUS_REMOTE=./bus_ipsec_remote
35
36DEBUG=${DEBUG:-true}
37
38make_l2tp_pktstr()
39{
40	local src=$1
41	local dst=$2
42	local proto=$3
43	local ipproto=$4
44	local mode=$5
45	local proto_cap= proto_str=
46
47	if [ $proto = esp ]; then
48		proto_cap=ESP
49	else
50		proto_cap=AH
51		if [ $ipproto = ipv4 ]; then
52			proto_str="ip-proto-115 102"
53		else
54			proto_str="ip-proto-115"
55		fi
56	fi
57
58	echo "$src > $dst: $proto_cap.+$proto_str"
59}
60
61wait_for_all_dad_completions()
62{
63
64	for sock in $SOCK_LOCAL $SOCK_TUN_LOCAL $SOCK_TUN_REMOTE $SOCK_REMOTE; do
65		export RUMP_SERVER=$sock
66		atf_check -s exit:0 rump.ifconfig -w 10
67	done
68}
69
70test_ipsec4_l2tp()
71{
72	local mode=$1
73	local proto=$2
74	local algo=$3
75	local ip_local=10.0.0.1
76	local ip_gwlo_tun=20.0.0.1
77	local ip_gwre_tun=20.0.0.2
78	local ip_remote=10.0.0.2
79	local subnet_local=20.0.0.0
80	local subnet_remote=20.0.0.0
81	local tmpfile=./tmp
82	local outfile=./out
83	local str=
84	local algo_args="$(generate_algo_args $proto $algo)"
85
86	# See https://www.netbsd.org/docs/network/ipsec/#sample_vpn
87	rump_server_crypto_start $SOCK_LOCAL
88	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec l2tp bridge
89	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec l2tp bridge
90	rump_server_crypto_start $SOCK_REMOTE
91	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
92	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
93	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
94	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
95	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
96	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
97
98	export RUMP_SERVER=$SOCK_LOCAL
99	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
100
101	export RUMP_SERVER=$SOCK_TUN_LOCAL
102	atf_check -s exit:0 rump.ifconfig shmif0 up
103	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24
104	rump_server_add_iface $SOCK_TUN_LOCAL l2tp0
105	atf_check -s exit:0 rump.ifconfig l2tp0 \
106	    tunnel $ip_gwlo_tun $ip_gwre_tun
107	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
108	atf_check -s exit:0 rump.ifconfig l2tp0 up
109	rump_server_add_iface $SOCK_TUN_LOCAL bridge0
110	atf_check -s exit:0 rump.ifconfig bridge0 up
111	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
112	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
113
114	export RUMP_SERVER=$SOCK_TUN_REMOTE
115	atf_check -s exit:0 rump.ifconfig shmif0 up
116	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24
117	rump_server_add_iface $SOCK_TUN_REMOTE l2tp0
118	atf_check -s exit:0 rump.ifconfig l2tp0 \
119	    tunnel $ip_gwre_tun $ip_gwlo_tun
120	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
121	atf_check -s exit:0 rump.ifconfig l2tp0 up
122	rump_server_add_iface $SOCK_TUN_REMOTE bridge0
123	atf_check -s exit:0 rump.ifconfig bridge0 up
124	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
125	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
126
127	export RUMP_SERVER=$SOCK_REMOTE
128	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
129
130	wait_for_all_dad_completions
131
132	extract_new_packets $BUS_TUNNEL > $outfile
133
134	export RUMP_SERVER=$SOCK_LOCAL
135	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
136
137	extract_new_packets $BUS_TUNNEL > $outfile
138	atf_check -s exit:0 \
139	    -o match:"$ip_gwlo_tun > $ip_gwre_tun: +ip-proto-115" \
140	    cat $outfile
141	atf_check -s exit:0 \
142	    -o match:"$ip_gwre_tun > $ip_gwlo_tun: +ip-proto-115" \
143	    cat $outfile
144
145	if [ $mode = tunnel ]; then
146		export RUMP_SERVER=$SOCK_TUN_LOCAL
147		# from https://www.netbsd.org/docs/network/ipsec/
148		cat > $tmpfile <<-EOF
149		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
150		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
151		spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
152		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
153		spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
154		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
155		EOF
156		$DEBUG && cat $tmpfile
157		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
158
159		export RUMP_SERVER=$SOCK_TUN_REMOTE
160		cat > $tmpfile <<-EOF
161		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
162		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
163		spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
164		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
165		spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
166		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
167		EOF
168		$DEBUG && cat $tmpfile
169		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
170	else # transport mode
171		export RUMP_SERVER=$SOCK_TUN_LOCAL
172		# from https://www.netbsd.org/docs/network/ipsec/
173		cat > $tmpfile <<-EOF
174		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
175		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
176		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P out ipsec
177		    $proto/transport//require;
178		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P in ipsec
179		    $proto/transport//require;
180		EOF
181		$DEBUG && cat $tmpfile
182		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
183
184		export RUMP_SERVER=$SOCK_TUN_REMOTE
185		cat > $tmpfile <<-EOF
186		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
187		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
188		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P out ipsec
189		    $proto/transport//require;
190		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P in ipsec
191		    $proto/transport//require;
192		EOF
193		$DEBUG && cat $tmpfile
194		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
195	fi
196
197	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
198	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
199
200	export RUMP_SERVER=$SOCK_LOCAL
201	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
202
203	extract_new_packets $BUS_TUNNEL > $outfile
204	str=$(make_l2tp_pktstr $ip_gwlo_tun $ip_gwre_tun $proto ipv4 $mode)
205	atf_check -s exit:0 -o match:"$str" cat $outfile
206	str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv4 $mode)
207	atf_check -s exit:0 -o match:"$str" cat $outfile
208
209	test_flush_entries $SOCK_TUN_LOCAL
210	test_flush_entries $SOCK_TUN_REMOTE
211}
212
213test_ipsec6_l2tp()
214{
215	local mode=$1
216	local proto=$2
217	local algo=$3
218	local ip_local=fd00::1
219	local ip_gwlo_tun=fc00::1
220	local ip_gwre_tun=fc00::2
221	local ip_remote=fd00::2
222	local subnet_local=fc00::
223	local subnet_remote=fc00::
224	local tmpfile=./tmp
225	local outfile=./out
226	local str=
227	local algo_args="$(generate_algo_args $proto $algo)"
228
229	rump_server_crypto_start $SOCK_LOCAL netinet6
230	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 l2tp bridge
231	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 l2tp bridge
232	rump_server_crypto_start $SOCK_REMOTE netinet6
233	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
234	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
235	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
236	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
237	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
238	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
239
240	export RUMP_SERVER=$SOCK_LOCAL
241	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
242
243	export RUMP_SERVER=$SOCK_TUN_LOCAL
244	atf_check -s exit:0 rump.ifconfig shmif0 up
245	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwlo_tun/64
246	rump_server_add_iface $SOCK_TUN_LOCAL l2tp0
247	atf_check -s exit:0 rump.ifconfig l2tp0 \
248	    tunnel $ip_gwlo_tun $ip_gwre_tun
249	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
250	atf_check -s exit:0 rump.ifconfig l2tp0 up
251	rump_server_add_iface $SOCK_TUN_LOCAL bridge0
252	atf_check -s exit:0 rump.ifconfig bridge0 up
253	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
254	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
255
256	export RUMP_SERVER=$SOCK_TUN_REMOTE
257	atf_check -s exit:0 rump.ifconfig shmif0 up
258	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwre_tun/64
259	rump_server_add_iface $SOCK_TUN_REMOTE l2tp0
260	atf_check -s exit:0 rump.ifconfig l2tp0 \
261	    tunnel $ip_gwre_tun $ip_gwlo_tun
262	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
263	atf_check -s exit:0 rump.ifconfig l2tp0 up
264	rump_server_add_iface $SOCK_TUN_REMOTE bridge0
265	atf_check -s exit:0 rump.ifconfig bridge0 up
266	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
267	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
268
269	export RUMP_SERVER=$SOCK_REMOTE
270	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
271
272	wait_for_all_dad_completions
273
274	extract_new_packets $BUS_TUNNEL > $outfile
275
276	export RUMP_SERVER=$SOCK_LOCAL
277	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
278
279	extract_new_packets $BUS_TUNNEL > $outfile
280	atf_check -s exit:0 \
281	    -o match:"$ip_gwlo_tun > $ip_gwre_tun: +ip-proto-115" \
282	    cat $outfile
283	atf_check -s exit:0 \
284	    -o match:"$ip_gwre_tun > $ip_gwlo_tun: +ip-proto-115" \
285	    cat $outfile
286
287	if [ $mode = tunnel ]; then
288		export RUMP_SERVER=$SOCK_TUN_LOCAL
289		# from https://www.netbsd.org/docs/network/ipsec/
290		cat > $tmpfile <<-EOF
291		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
292		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
293		spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
294		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
295		spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
296		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
297		EOF
298		$DEBUG && cat $tmpfile
299		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
300
301		export RUMP_SERVER=$SOCK_TUN_REMOTE
302		cat > $tmpfile <<-EOF
303		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
304		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
305		spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
306		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
307		spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
308		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
309		EOF
310		$DEBUG && cat $tmpfile
311		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
312	else # transport mode
313		export RUMP_SERVER=$SOCK_TUN_LOCAL
314		# from https://www.netbsd.org/docs/network/ipsec/
315		cat > $tmpfile <<-EOF
316		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
317		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
318		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P out ipsec
319		    $proto/transport//require;
320		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P in ipsec
321		    $proto/transport//require;
322		EOF
323		$DEBUG && cat $tmpfile
324		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
325
326		export RUMP_SERVER=$SOCK_TUN_REMOTE
327		cat > $tmpfile <<-EOF
328		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
329		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
330		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P out ipsec
331		    $proto/transport//require;
332		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P in ipsec
333		    $proto/transport//require;
334		EOF
335		$DEBUG && cat $tmpfile
336		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
337	fi
338
339	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
340	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
341
342	export RUMP_SERVER=$SOCK_LOCAL
343	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
344
345	extract_new_packets $BUS_TUNNEL > $outfile
346	str=$(make_l2tp_pktstr $ip_gwlo_tun $ip_gwre_tun $proto ipv6 $mode)
347	atf_check -s exit:0 -o match:"$str" cat $outfile
348	str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv6 $mode)
349	atf_check -s exit:0 -o match:"$str" cat $outfile
350
351	test_flush_entries $SOCK_TUN_LOCAL
352	test_flush_entries $SOCK_TUN_REMOTE
353}
354
355test_ipsec_l2tp_common()
356{
357	local ipproto=$1
358	local mode=$2
359	local proto=$3
360	local algo=$4
361
362	if [ $ipproto = ipv4 ]; then
363		test_ipsec4_l2tp $mode $proto $algo
364	else
365		test_ipsec6_l2tp $mode $proto $algo
366	fi
367}
368
369add_test_ipsec_l2tp()
370{
371	local ipproto=$1
372	local mode=$2
373	local proto=$3
374	local algo=$4
375	local _algo=$(echo $algo | sed 's/-//g')
376	local name= desc=
377
378	name="ipsec_l2tp_${ipproto}_${mode}_${proto}_${_algo}"
379	desc="Tests of l2tp/IPsec ($ipproto) ${mode} mode with $proto ($algo)"
380
381	atf_test_case ${name} cleanup
382	eval "
383	    ${name}_head() {
384	        atf_set descr \"$desc\"
385	        atf_set require.progs rump_server setkey
386	    }
387	    ${name}_body() {
388	        test_ipsec_l2tp_common $ipproto $mode $proto $algo
389	        rump_server_destroy_ifaces
390	    }
391	    ${name}_cleanup() {
392	        \$DEBUG && dump
393	        cleanup
394	    }
395	"
396	atf_add_test_case ${name}
397}
398
399atf_init_test_cases()
400{
401	local algo=
402
403	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
404		add_test_ipsec_l2tp ipv4 tunnel esp $algo
405		add_test_ipsec_l2tp ipv6 tunnel esp $algo
406		add_test_ipsec_l2tp ipv4 transport esp $algo
407		add_test_ipsec_l2tp ipv6 transport esp $algo
408	done
409
410	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
411		add_test_ipsec_l2tp ipv4 tunnel ah $algo
412		add_test_ipsec_l2tp ipv6 tunnel ah $algo
413		add_test_ipsec_l2tp ipv4 transport ah $algo
414		add_test_ipsec_l2tp ipv6 transport ah $algo
415	done
416}
417