p.scapy_tun_sa = SecurityAssociation(
encryption_type,
- spi=p.vpp_tun_spi,
+ spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
)
p.vpp_tun_sa = SecurityAssociation(
encryption_type,
- spi=p.scapy_tun_spi,
+ spi=p.vpp_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
p.scapy_tun_sa = SecurityAssociation(
encryption_type,
- spi=p.vpp_tun_spi,
+ spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
)
p.vpp_tun_sa = SecurityAssociation(
encryption_type,
- spi=p.scapy_tun_spi,
+ spi=p.vpp_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
# which strips them
self.assertTrue(rx.haslayer(UDP))
self.assert_equal(rx[UDP].sport, p.nat_header.sport)
- self.assert_equal(rx[UDP].dport, 4500)
+ self.assert_equal(rx[UDP].dport, p.nat_header.dport)
pkt = sa.decrypt(rx[IP])
if not pkt.haslayer(IP):
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.crypt_key,
self.vpp_esp_protocol,
- flags=p.flags,
+ flags=p.flags
+ | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
udp_src=p.nat_header.sport,
udp_dst=p.nat_header.dport,
)
p.salt = 0
+class TestIpsec4TunIfEspUdpUpdate(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
+ """Ipsec ESP UDP update tests"""
+
+ tun4_input_node = "ipsec4-tun-input"
+
+ def setUp(self):
+ super(TestIpsec4TunIfEspUdpUpdate, self).setUp()
+ p = self.ipv4_params
+ p.nat_header = UDP(sport=6565, dport=7676)
+ config_tun_params(p, self.encryption_type, p.tun_if)
+ p.tun_sa_in.update_vpp_config(
+ udp_src=p.nat_header.dport, udp_dst=p.nat_header.sport
+ )
+ p.tun_sa_out.update_vpp_config(
+ udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport
+ )
+
+
class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
"""Ipsec ESP - TCP tests"""
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
# which strips them
self.assertTrue(rx.haslayer(UDP))
self.assert_equal(rx[UDP].sport, p.nat_header.sport)
- self.assert_equal(rx[UDP].dport, 4500)
+ self.assert_equal(rx[UDP].dport, p.nat_header.dport)
pkt = sa.decrypt(rx[IP])
if not pkt.haslayer(IP):
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.crypt_key,
self.vpp_esp_protocol,
- flags=p.flags,
+ flags=p.flags
+ | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
udp_src=p.nat_header.sport,
udp_dst=p.nat_header.dport,
)
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
)
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
self.send_and_assert_no_replies(self.tun_if, tx)
node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
self.assertEqual(1, self.statistics.get_err_counter(node_name))
+ err = p.tun_sa_in.get_err("unsup_payload")
+ self.assertEqual(err, 1)
class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests):
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.vpp_tra_spi = p.vpp_tra_spi + ii
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.vpp_tra_spi = p.vpp_tra_spi + ii
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
self.vpp_esp_protocol,
dst,
src,
- flags=p.flags,
+ flags=p.flags
+ | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
)
p.tun_sa_in.add_vpp_config()
self.tun4_encrypt_node_name = "esp4-encrypt-tun"
+ # update the SA tunnel
+ config_tun_params(
+ p, self.encryption_type, None, self.pg2.local_ip4, self.pg2.remote_ip4
+ )
+ p.tun_sa_in.update_vpp_config(
+ is_tun=True, tun_src=self.pg2.remote_ip4, tun_dst=self.pg2.local_ip4
+ )
+ p.tun_sa_out.update_vpp_config(
+ is_tun=True, tun_src=self.pg2.local_ip4, tun_dst=self.pg2.remote_ip4
+ )
+ self.verify_tun_44(p, count=n_pkts)
+ self.assertEqual(p.tun_if.get_rx_stats(), 5 * n_pkts)
+ self.assertEqual(p.tun_if.get_tx_stats(), 4 * n_pkts)
+
self.vapi.cli("clear interfaces")
# rekey - create new SAs and update the tunnel protection
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.hop_limit = ii + 10
p.tun_sa_out = VppIpsecSA(
self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
p.tun_sa_in = VppIpsecSA(
self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,