1 AT_BANNER([ovs-monitor-ipsec])
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5 AT_SKIP_IF([$non_ascii_cwd])
7 OVS_RUNDIR=`pwd`; export OVS_RUNDIR
8 OVS_DBDIR=`pwd`; export OVS_DBDIR
9 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
10 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
12 ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
14 mkdir etc etc/init.d etc/racoon etc/racoon/certs
17 AT_DATA([etc/init.d/racoon], [dnl
22 chmod +x etc/init.d/racoon
24 AT_DATA([usr/sbin/setkey], [dnl
32 chmod +x usr/sbin/setkey
34 touch etc/racoon/certs/ovs-stale.pem
37 ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
39 trim () { # Removes blank lines and lines starting with # from input.
40 sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
44 ### Start ovsdb-server.
49 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
52 [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
53 "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
54 unix:socket 2>log 3>actions &])
55 AT_CAPTURE_FILE([log])
56 AT_CAPTURE_FILE([actions])
57 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
60 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
64 -- add-port br0 gre0 \
65 -- set interface gre0 type=ipsec_gre \
66 options:remote_ip=1.2.3.4 \
67 options:psk=swordfish])
68 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
69 AT_CHECK([cat actions], [0], [dnl
77 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
78 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
80 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
82 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
83 path pre_shared_key "/etc/racoon/psk.txt";
84 path certificate "/etc/racoon/certs";
89 encryption_algorithm aes;
91 authentication_method pre_shared_key;
98 encryption_algorithm aes;
99 authentication_algorithm hmac_sha1, hmac_md5;
100 compression_algorithm deflate;
105 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
107 AT_CHECK([ovs_vsctl del-port gre0])
108 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
109 AT_CHECK([sed '1,9d' actions], [0], [dnl
112 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
113 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
119 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
120 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
121 path pre_shared_key "/etc/racoon/psk.txt";
122 path certificate "/etc/racoon/certs";
125 lifetime time 1 hour;
126 encryption_algorithm aes;
127 authentication_algorithm hmac_sha1, hmac_md5;
128 compression_algorithm deflate;
133 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
135 AT_DATA([cert.pem], [dnl
136 -----BEGIN CERTIFICATE-----
137 (not a real certificate)
138 -----END CERTIFICATE-----
140 AT_DATA([key.pem], [dnl
141 -----BEGIN RSA PRIVATE KEY-----
142 (not a real private key)
143 -----END RSA PRIVATE KEY-----
145 AT_CHECK([ovs_vsctl \
146 -- add-port br0 gre1 \
147 -- set Interface gre1 type=ipsec_gre \
148 options:remote_ip=2.3.4.5 \
149 options:peer_cert='"-----BEGIN CERTIFICATE-----
150 (not a real peer certificate)
151 -----END CERTIFICATE-----
153 options:certificate='"/cert.pem"' \
154 options:private_key='"/key.pem"'])
155 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
156 AT_CHECK([sed '1,17d' actions], [0], [dnl
159 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
160 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
162 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
163 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
164 path pre_shared_key "/etc/racoon/psk.txt";
165 path certificate "/etc/racoon/certs";
170 certificate_type x509 "/cert.pem" "/key.pem";
171 my_identifier asn1dn;
172 peers_identifier asn1dn;
173 peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
174 verify_identifier on;
176 encryption_algorithm aes;
178 authentication_method rsasig;
184 lifetime time 1 hour;
185 encryption_algorithm aes;
186 authentication_algorithm hmac_sha1, hmac_md5;
187 compression_algorithm deflate;
190 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
191 -----BEGIN CERTIFICATE-----
192 (not a real peer certificate)
193 -----END CERTIFICATE-----
197 ### Delete the ipsec_gre certificate interface.
199 AT_CHECK([ovs_vsctl del-port gre1])
200 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
201 AT_CHECK([sed '1,21d' actions], [0], [dnl
204 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
205 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
211 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
212 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
213 path pre_shared_key "/etc/racoon/psk.txt";
214 path certificate "/etc/racoon/certs";
217 lifetime time 1 hour;
218 encryption_algorithm aes;
219 authentication_algorithm hmac_sha1, hmac_md5;
220 compression_algorithm deflate;
223 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
226 ### Add an SSL certificate interface.
228 cp cert.pem ssl-cert.pem
229 cp key.pem ssl-key.pem
230 AT_DATA([ssl-cacert.pem], [dnl
231 -----BEGIN CERTIFICATE-----
232 (not a real CA certificate)
233 -----END CERTIFICATE-----
235 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
236 -- add-port br0 gre2 \
237 -- set Interface gre2 type=ipsec_gre \
238 options:remote_ip=3.4.5.6 \
239 options:peer_cert='"-----BEGIN CERTIFICATE-----
240 (not a real peer certificate)
241 -----END CERTIFICATE-----
243 options:use_ssl_cert='"true"'])
244 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
245 AT_CHECK([sed '1,29d' actions], [0], [dnl
248 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
249 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
251 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
252 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
253 path pre_shared_key "/etc/racoon/psk.txt";
254 path certificate "/etc/racoon/certs";
259 certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
260 my_identifier asn1dn;
261 peers_identifier asn1dn;
262 peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
263 verify_identifier on;
265 encryption_algorithm aes;
267 authentication_method rsasig;
273 lifetime time 1 hour;
274 encryption_algorithm aes;
275 authentication_algorithm hmac_sha1, hmac_md5;
276 compression_algorithm deflate;
279 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
280 -----BEGIN CERTIFICATE-----
281 (not a real peer certificate)
282 -----END CERTIFICATE-----
286 ### Delete the SSL certificate interface.
288 AT_CHECK([ovs_vsctl del-port gre2])
289 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
290 AT_CHECK([sed '1,33d' actions], [0], [dnl
293 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
294 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
300 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
301 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
302 path pre_shared_key "/etc/racoon/psk.txt";
303 path certificate "/etc/racoon/certs";
306 lifetime time 1 hour;
307 encryption_algorithm aes;
308 authentication_algorithm hmac_sha1, hmac_md5;
309 compression_algorithm deflate;
312 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
314 OVSDB_SERVER_SHUTDOWN