xref: /netbsd-src/tests/net/ipsec/t_ipsec_l2tp.sh (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1#	$NetBSD: t_ipsec_l2tp.sh,v 1.7 2017/08/03 03:16:27 ozaki-r Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_l2tp_local
29SOCK_TUN_LOCAL=unix://ipsec_l2tp_tunel_local
30SOCK_TUN_REMOTE=unix://ipsec_l2tp_tunnel_remote
31SOCK_REMOTE=unix://ipsec_l2tp_remote
32BUS_LOCAL=./bus_ipsec_local
33BUS_TUNNEL=./bus_ipsec_tunnel
34BUS_REMOTE=./bus_ipsec_remote
35
36DEBUG=${DEBUG:-true}
37
38make_l2tp_pktstr()
39{
40	local src=$1
41	local dst=$2
42	local proto=$3
43	local ipproto=$4
44	local mode=$5
45	local proto_cap= proto_str=
46
47	if [ $proto = esp ]; then
48		proto_cap=ESP
49	else
50		proto_cap=AH
51		if [ $ipproto = ipv4 ]; then
52			if [ $mode = tunnel ]; then
53				proto_str="ip-proto-115 102 \(ipip-proto-4\)"
54			else
55				proto_str="ip-proto-115 102"
56			fi
57		else
58			proto_str="ip-proto-115"
59		fi
60	fi
61
62	echo "$src > $dst: $proto_cap.+$proto_str"
63}
64
65test_ipsec4_l2tp()
66{
67	local mode=$1
68	local proto=$2
69	local algo=$3
70	local ip_local=10.0.0.1
71	local ip_gwlo_tun=20.0.0.1
72	local ip_gwre_tun=20.0.0.2
73	local ip_remote=10.0.0.2
74	local subnet_local=20.0.0.0
75	local subnet_remote=20.0.0.0
76	local tmpfile=./tmp
77	local outfile=./out
78	local str=
79	local algo_args="$(generate_algo_args $proto $algo)"
80
81	# See https://www.netbsd.org/docs/network/ipsec/#sample_vpn
82	rump_server_crypto_start $SOCK_LOCAL
83	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec l2tp bridge
84	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec l2tp bridge
85	rump_server_crypto_start $SOCK_REMOTE
86	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
87	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
88	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
89	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
90	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
91	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
92
93	export RUMP_SERVER=$SOCK_LOCAL
94	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
95
96	export RUMP_SERVER=$SOCK_TUN_LOCAL
97	atf_check -s exit:0 rump.ifconfig shmif0 up
98	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24
99	atf_check -s exit:0 rump.ifconfig l2tp0 create
100	atf_check -s exit:0 rump.ifconfig l2tp0 \
101	    tunnel $ip_gwlo_tun $ip_gwre_tun
102	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
103	atf_check -s exit:0 rump.ifconfig l2tp0 up
104	atf_check -s exit:0 rump.ifconfig bridge0 create
105	atf_check -s exit:0 rump.ifconfig bridge0 up
106	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
107	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
108
109	export RUMP_SERVER=$SOCK_TUN_REMOTE
110	atf_check -s exit:0 rump.ifconfig shmif0 up
111	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24
112	atf_check -s exit:0 rump.ifconfig l2tp0 create
113	atf_check -s exit:0 rump.ifconfig l2tp0 \
114	    tunnel $ip_gwre_tun $ip_gwlo_tun
115	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
116	atf_check -s exit:0 rump.ifconfig l2tp0 up
117	atf_check -s exit:0 rump.ifconfig bridge0 create
118	atf_check -s exit:0 rump.ifconfig bridge0 up
119	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
120	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
121
122	export RUMP_SERVER=$SOCK_REMOTE
123	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
124	# Run ifconfig -w 10 just once for optimization
125	atf_check -s exit:0 rump.ifconfig -w 10
126
127	extract_new_packets $BUS_TUNNEL > $outfile
128
129	export RUMP_SERVER=$SOCK_LOCAL
130	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
131
132	extract_new_packets $BUS_TUNNEL > $outfile
133	atf_check -s exit:0 \
134	    -o match:"$ip_gwlo_tun > $ip_gwre_tun: +ip-proto-115" \
135	    cat $outfile
136	atf_check -s exit:0 \
137	    -o match:"$ip_gwre_tun > $ip_gwlo_tun: +ip-proto-115" \
138	    cat $outfile
139
140	if [ $mode = tunnel ]; then
141		export RUMP_SERVER=$SOCK_TUN_LOCAL
142		# from https://www.netbsd.org/docs/network/ipsec/
143		cat > $tmpfile <<-EOF
144		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
145		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
146		spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
147		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
148		spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
149		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
150		EOF
151		$DEBUG && cat $tmpfile
152		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
153
154		export RUMP_SERVER=$SOCK_TUN_REMOTE
155		cat > $tmpfile <<-EOF
156		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
157		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
158		spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
159		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
160		spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
161		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
162		EOF
163		$DEBUG && cat $tmpfile
164		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
165	else # transport mode
166		export RUMP_SERVER=$SOCK_TUN_LOCAL
167		# from https://www.netbsd.org/docs/network/ipsec/
168		cat > $tmpfile <<-EOF
169		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
170		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
171		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P out ipsec
172		    $proto/transport//require;
173		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P in ipsec
174		    $proto/transport//require;
175		EOF
176		$DEBUG && cat $tmpfile
177		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
178
179		export RUMP_SERVER=$SOCK_TUN_REMOTE
180		cat > $tmpfile <<-EOF
181		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
182		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
183		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P out ipsec
184		    $proto/transport//require;
185		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P in ipsec
186		    $proto/transport//require;
187		EOF
188		$DEBUG && cat $tmpfile
189		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
190	fi
191
192	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
193	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
194
195	export RUMP_SERVER=$SOCK_LOCAL
196	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
197
198	extract_new_packets $BUS_TUNNEL > $outfile
199	str=$(make_l2tp_pktstr $ip_gwlo_tun $ip_gwre_tun $proto ipv4 $mode)
200	atf_check -s exit:0 -o match:"$str" cat $outfile
201	str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv4 $mode)
202	atf_check -s exit:0 -o match:"$str" cat $outfile
203
204	test_flush_entries $SOCK_TUN_LOCAL
205	test_flush_entries $SOCK_TUN_REMOTE
206}
207
208test_ipsec6_l2tp()
209{
210	local mode=$1
211	local proto=$2
212	local algo=$3
213	local ip_local=fd00::1
214	local ip_gwlo_tun=fc00::1
215	local ip_gwre_tun=fc00::2
216	local ip_remote=fd00::2
217	local subnet_local=fc00::
218	local subnet_remote=fc00::
219	local tmpfile=./tmp
220	local outfile=./out
221	local str=
222	local algo_args="$(generate_algo_args $proto $algo)"
223
224	rump_server_crypto_start $SOCK_LOCAL netinet6
225	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 l2tp bridge
226	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 l2tp bridge
227	rump_server_crypto_start $SOCK_REMOTE netinet6
228	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
229	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
230	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
231	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
232	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
233	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
234
235	export RUMP_SERVER=$SOCK_LOCAL
236	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
237
238	export RUMP_SERVER=$SOCK_TUN_LOCAL
239	atf_check -s exit:0 rump.ifconfig shmif0 up
240	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwlo_tun/64
241	atf_check -s exit:0 rump.ifconfig l2tp0 create
242	atf_check -s exit:0 rump.ifconfig l2tp0 \
243	    tunnel $ip_gwlo_tun $ip_gwre_tun
244	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
245	atf_check -s exit:0 rump.ifconfig l2tp0 up
246	atf_check -s exit:0 rump.ifconfig bridge0 create
247	atf_check -s exit:0 rump.ifconfig bridge0 up
248	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
249	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
250
251	export RUMP_SERVER=$SOCK_TUN_REMOTE
252	atf_check -s exit:0 rump.ifconfig shmif0 up
253	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwre_tun/64
254	atf_check -s exit:0 rump.ifconfig l2tp0 create
255	atf_check -s exit:0 rump.ifconfig l2tp0 \
256	    tunnel $ip_gwre_tun $ip_gwlo_tun
257	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
258	atf_check -s exit:0 rump.ifconfig l2tp0 up
259	atf_check -s exit:0 rump.ifconfig bridge0 create
260	atf_check -s exit:0 rump.ifconfig bridge0 up
261	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
262	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
263
264	export RUMP_SERVER=$SOCK_REMOTE
265	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
266	# Run ifconfig -w 10 just once for optimization
267	atf_check -s exit:0 rump.ifconfig -w 10
268
269	extract_new_packets $BUS_TUNNEL > $outfile
270
271	export RUMP_SERVER=$SOCK_LOCAL
272	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
273
274	extract_new_packets $BUS_TUNNEL > $outfile
275	atf_check -s exit:0 \
276	    -o match:"$ip_gwlo_tun > $ip_gwre_tun: +ip-proto-115" \
277	    cat $outfile
278	atf_check -s exit:0 \
279	    -o match:"$ip_gwre_tun > $ip_gwlo_tun: +ip-proto-115" \
280	    cat $outfile
281
282	if [ $mode = tunnel ]; then
283		export RUMP_SERVER=$SOCK_TUN_LOCAL
284		# from https://www.netbsd.org/docs/network/ipsec/
285		cat > $tmpfile <<-EOF
286		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
287		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
288		spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
289		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
290		spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
291		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
292		EOF
293		$DEBUG && cat $tmpfile
294		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
295
296		export RUMP_SERVER=$SOCK_TUN_REMOTE
297		cat > $tmpfile <<-EOF
298		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
299		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
300		spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
301		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
302		spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
303		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
304		EOF
305		$DEBUG && cat $tmpfile
306		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
307	else # transport mode
308		export RUMP_SERVER=$SOCK_TUN_LOCAL
309		# from https://www.netbsd.org/docs/network/ipsec/
310		cat > $tmpfile <<-EOF
311		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
312		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
313		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P out ipsec
314		    $proto/transport//require;
315		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P in ipsec
316		    $proto/transport//require;
317		EOF
318		$DEBUG && cat $tmpfile
319		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
320
321		export RUMP_SERVER=$SOCK_TUN_REMOTE
322		cat > $tmpfile <<-EOF
323		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
324		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
325		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P out ipsec
326		    $proto/transport//require;
327		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P in ipsec
328		    $proto/transport//require;
329		EOF
330		$DEBUG && cat $tmpfile
331		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
332	fi
333
334	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
335	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
336
337	export RUMP_SERVER=$SOCK_LOCAL
338	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
339
340	extract_new_packets $BUS_TUNNEL > $outfile
341	str=$(make_l2tp_pktstr $ip_gwlo_tun $ip_gwre_tun $proto ipv6 $mode)
342	atf_check -s exit:0 -o match:"$str" cat $outfile
343	str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv6 $mode)
344	atf_check -s exit:0 -o match:"$str" cat $outfile
345
346	test_flush_entries $SOCK_TUN_LOCAL
347	test_flush_entries $SOCK_TUN_REMOTE
348}
349
350test_ipsec_l2tp_common()
351{
352	local ipproto=$1
353	local mode=$2
354	local proto=$3
355	local algo=$4
356
357	if [ $ipproto = ipv4 ]; then
358		test_ipsec4_l2tp $mode $proto $algo
359	else
360		test_ipsec6_l2tp $mode $proto $algo
361	fi
362}
363
364add_test_ipsec_l2tp()
365{
366	local ipproto=$1
367	local mode=$2
368	local proto=$3
369	local algo=$4
370	local _algo=$(echo $algo | sed 's/-//g')
371	local name= desc=
372
373	name="ipsec_l2tp_${ipproto}_${mode}_${proto}_${_algo}"
374	desc="Tests of l2tp/IPsec ($ipproto) ${mode} mode with $proto ($algo)"
375
376	atf_test_case ${name} cleanup
377	eval "
378	    ${name}_head() {
379	        atf_set descr \"$desc\"
380	        atf_set require.progs rump_server setkey
381	    }
382	    ${name}_body() {
383	        test_ipsec_l2tp_common $ipproto $mode $proto $algo
384	        rump_server_destroy_ifaces
385	    }
386	    ${name}_cleanup() {
387	        \$DEBUG && dump
388	        cleanup
389	    }
390	"
391	atf_add_test_case ${name}
392}
393
394atf_init_test_cases()
395{
396	local algo=
397
398	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
399		add_test_ipsec_l2tp ipv4 tunnel esp $algo
400		add_test_ipsec_l2tp ipv6 tunnel esp $algo
401		add_test_ipsec_l2tp ipv4 transport esp $algo
402		add_test_ipsec_l2tp ipv6 transport esp $algo
403	done
404
405	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
406		add_test_ipsec_l2tp ipv4 tunnel ah $algo
407		add_test_ipsec_l2tp ipv6 tunnel ah $algo
408		add_test_ipsec_l2tp ipv4 transport ah $algo
409		add_test_ipsec_l2tp ipv6 transport ah $algo
410	done
411}
412