git://git.onelab.eu / sliver-openvswitch.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Setting tag sliver-openvswitch-2.2.90-1
[sliver-openvswitch.git] / tests / ovs-monitor-ipsec.at
1 AT_BANNER([ovs-monitor-ipsec])
2
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5 AT_SKIP_IF([$non_ascii_cwd])
6
7 OVS_RUNDIR=`pwd`; export OVS_RUNDIR
8 OVS_DBDIR=`pwd`; export OVS_DBDIR
9 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
10 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
11
12 ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
13
14 mkdir etc etc/init.d etc/racoon etc/racoon/certs
15 mkdir usr usr/sbin
16
17 AT_DATA([etc/init.d/racoon], [dnl
18 #! /bin/sh
19 echo "racoon: $@" >&3
20 exit 0
21 ])
22 chmod +x etc/init.d/racoon
23
24 AT_DATA([usr/sbin/setkey], [dnl
25 #! /bin/sh
26 exec >&3
27 echo "setkey:"
28 while read line; do
29       echo "> $line"
30 done
31 ])
32 chmod +x usr/sbin/setkey
33
34 touch etc/racoon/certs/ovs-stale.pem
35
36 ovs_vsctl () {
37     ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
38 }
39 trim () {  # Removes blank lines and lines starting with # from input.
40     sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
41 }
42
43 ###
44 ### Start ovsdb-server.
45 ###
46 OVS_VSCTL_SETUP
47
48 ###
49 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
50 ###
51 AT_CHECK(
52   [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
53         "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
54         unix:socket 2>log 3>actions &])
55 AT_CAPTURE_FILE([log])
56 AT_CAPTURE_FILE([actions])
57 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
58
59 ###
60 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
61 ###
62 AT_CHECK([ovs_vsctl \
63               -- add-br br0 \
64               -- add-port br0 gre0 \
65               -- set interface gre0 type=ipsec_gre \
66                                     options:remote_ip=1.2.3.4 \
67                                     options:psk=swordfish])
68 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
69 AT_CHECK([cat actions], [0], [dnl
70 setkey:
71 > flush;
72 setkey:
73 > spdflush;
74 racoon: reload
75 racoon: reload
76 setkey:
77 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
78 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
79 ])
80 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
81 ])
82 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
83 path pre_shared_key "/etc/racoon/psk.txt";
84 path certificate "/etc/racoon/certs";
85 remote 1.2.3.4 {
86         exchange_mode main;
87         nat_traversal on;
88         proposal {
89                 encryption_algorithm aes;
90                 hash_algorithm sha1;
91                 authentication_method pre_shared_key;
92                 dh_group 2;
93         }
94 }
95 sainfo anonymous {
96         pfs_group 2;
97         lifetime time 1 hour;
98         encryption_algorithm aes;
99         authentication_algorithm hmac_sha1, hmac_md5;
100         compression_algorithm deflate;
101 }
102 ])
103
104 ###
105 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
106 ###
107 AT_CHECK([ovs_vsctl del-port gre0])
108 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
109 AT_CHECK([sed '1,9d' actions], [0], [dnl
110 racoon: reload
111 setkey:
112 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
113 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
114 setkey:
115 > dump ;
116 setkey:
117 > dump ;
118 ])
119 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
120 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
121 path pre_shared_key "/etc/racoon/psk.txt";
122 path certificate "/etc/racoon/certs";
123 sainfo anonymous {
124         pfs_group 2;
125         lifetime time 1 hour;
126         encryption_algorithm aes;
127         authentication_algorithm hmac_sha1, hmac_md5;
128         compression_algorithm deflate;
129 }
130 ])
131
132 ###
133 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
134 ###
135 AT_DATA([cert.pem], [dnl
136 -----BEGIN CERTIFICATE-----
137 (not a real certificate)
138 -----END CERTIFICATE-----
139 ])
140 AT_DATA([key.pem], [dnl
141 -----BEGIN RSA PRIVATE KEY-----
142 (not a real private key)
143 -----END RSA PRIVATE KEY-----
144 ])
145 AT_CHECK([ovs_vsctl \
146               -- add-port br0 gre1 \
147               -- set Interface gre1 type=ipsec_gre \
148                  options:remote_ip=2.3.4.5 \
149                  options:peer_cert='"-----BEGIN CERTIFICATE-----
150 (not a real peer certificate)
151 -----END CERTIFICATE-----
152 "' \
153                  options:certificate='"/cert.pem"' \
154                  options:private_key='"/key.pem"'])
155 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
156 AT_CHECK([sed '1,17d' actions], [0], [dnl
157 racoon: reload
158 setkey:
159 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
160 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
161 ])
162 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
163 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
164 path pre_shared_key "/etc/racoon/psk.txt";
165 path certificate "/etc/racoon/certs";
166 remote 2.3.4.5 {
167         exchange_mode main;
168         nat_traversal on;
169         ike_frag on;
170         certificate_type x509 "/cert.pem" "/key.pem";
171         my_identifier asn1dn;
172         peers_identifier asn1dn;
173         peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
174         verify_identifier on;
175         proposal {
176                 encryption_algorithm aes;
177                 hash_algorithm sha1;
178                 authentication_method rsasig;
179                 dh_group 2;
180         }
181 }
182 sainfo anonymous {
183         pfs_group 2;
184         lifetime time 1 hour;
185         encryption_algorithm aes;
186         authentication_algorithm hmac_sha1, hmac_md5;
187         compression_algorithm deflate;
188 }
189 ])
190 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
191 -----BEGIN CERTIFICATE-----
192 (not a real peer certificate)
193 -----END CERTIFICATE-----
194 ])
195
196 ###
197 ### Delete the ipsec_gre certificate interface.
198 ###
199 AT_CHECK([ovs_vsctl del-port gre1])
200 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
201 AT_CHECK([sed '1,21d' actions], [0], [dnl
202 racoon: reload
203 setkey:
204 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
205 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
206 setkey:
207 > dump ;
208 setkey:
209 > dump ;
210 ])
211 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
212 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
213 path pre_shared_key "/etc/racoon/psk.txt";
214 path certificate "/etc/racoon/certs";
215 sainfo anonymous {
216         pfs_group 2;
217         lifetime time 1 hour;
218         encryption_algorithm aes;
219         authentication_algorithm hmac_sha1, hmac_md5;
220         compression_algorithm deflate;
221 }
222 ])
223 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
224
225 ###
226 ### Add an SSL certificate interface.
227 ###
228 cp cert.pem ssl-cert.pem
229 cp key.pem ssl-key.pem
230 AT_DATA([ssl-cacert.pem], [dnl
231 -----BEGIN CERTIFICATE-----
232 (not a real CA certificate)
233 -----END CERTIFICATE-----
234 ])
235 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
236               -- add-port br0 gre2 \
237               -- set Interface gre2 type=ipsec_gre \
238                  options:remote_ip=3.4.5.6 \
239                  options:peer_cert='"-----BEGIN CERTIFICATE-----
240 (not a real peer certificate)
241 -----END CERTIFICATE-----
242 "' \
243                  options:use_ssl_cert='"true"'])
244 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
245 AT_CHECK([sed '1,29d' actions], [0], [dnl
246 racoon: reload
247 setkey:
248 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
249 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
250 ])
251 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
252 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
253 path pre_shared_key "/etc/racoon/psk.txt";
254 path certificate "/etc/racoon/certs";
255 remote 3.4.5.6 {
256         exchange_mode main;
257         nat_traversal on;
258         ike_frag on;
259         certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
260         my_identifier asn1dn;
261         peers_identifier asn1dn;
262         peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
263         verify_identifier on;
264         proposal {
265                 encryption_algorithm aes;
266                 hash_algorithm sha1;
267                 authentication_method rsasig;
268                 dh_group 2;
269         }
270 }
271 sainfo anonymous {
272         pfs_group 2;
273         lifetime time 1 hour;
274         encryption_algorithm aes;
275         authentication_algorithm hmac_sha1, hmac_md5;
276         compression_algorithm deflate;
277 }
278 ])
279 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
280 -----BEGIN CERTIFICATE-----
281 (not a real peer certificate)
282 -----END CERTIFICATE-----
283 ])
284
285 ###
286 ### Delete the SSL certificate interface.
287 ###
288 AT_CHECK([ovs_vsctl del-port gre2])
289 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
290 AT_CHECK([sed '1,33d' actions], [0], [dnl
291 racoon: reload
292 setkey:
293 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
294 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
295 setkey:
296 > dump ;
297 setkey:
298 > dump ;
299 ])
300 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
301 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
302 path pre_shared_key "/etc/racoon/psk.txt";
303 path certificate "/etc/racoon/certs";
304 sainfo anonymous {
305         pfs_group 2;
306         lifetime time 1 hour;
307         encryption_algorithm aes;
308         authentication_algorithm hmac_sha1, hmac_md5;
309         compression_algorithm deflate;
310 }
311 ])
312 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
313
314 OVSDB_SERVER_SHUTDOWN
315
316 AT_CLEANUP
sliver-openvswitch