import unittest
import socket
import copy
-import struct
from scapy.layers.ipsec import ESP
from scapy.layers.l2 import Ether, Raw, GRE
p.tun_if.config_ip4()
p.tun_if.config_ip6()
- VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)]).add_vpp_config()
- VppIpRoute(self, p.remote_tun_if_host6, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)],
- is_ip6=1).add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host, 32,
+ [VppRoutePath(p.tun_if.remote_ip4,
+ 0xffffffff)])
+ r.add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host6, 128,
+ [VppRoutePath(p.tun_if.remote_ip6,
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ r.add_vpp_config()
def tearDown(self):
if not self.vpp_dead:
class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
""" Ipsec ESP - TUN tests """
- tun4_encrypt_node_name = "esp4-encrypt"
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt"
def test_tun_basic64(self):
""" ipsec 6o4 tunnel basic test """
+ self.tun4_encrypt_node_name = "esp6-encrypt-tun"
+
self.verify_tun_64(self.params[socket.AF_INET], count=1)
def test_tun_burst64(self):
""" ipsec 6o4 tunnel basic test """
+ self.tun4_encrypt_node_name = "esp6-encrypt-tun"
+
self.verify_tun_64(self.params[socket.AF_INET], count=257)
def test_tun_basic_frag44(self):
""" ipsec 4o4 tunnel frag basic test """
+ self.tun4_encrypt_node_name = "esp4-encrypt-tun"
+
p = self.ipv4_params
self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
tun_if.config_ip6()
tun_if.config_ip4()
- VppIpRoute(self, p.remote_tun_if_host, 128,
- [VppRoutePath(tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)],
- is_ip6=1).add_vpp_config()
- VppIpRoute(self, p.remote_tun_if_host4, 32,
- [VppRoutePath(tun_if.remote_ip4,
- 0xffffffff)]).add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host, 128,
+ [VppRoutePath(tun_if.remote_ip6,
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ r.add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host4, 32,
+ [VppRoutePath(tun_if.remote_ip4,
+ 0xffffffff)])
+ r.add_vpp_config()
def tearDown(self):
if not self.vpp_dead:
class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
""" Ipsec ESP - TUN tests """
- tun6_encrypt_node_name = "esp6-encrypt"
+ tun6_encrypt_node_name = "esp6-encrypt-tun"
tun6_decrypt_node_name = "esp6-decrypt"
def test_tun_basic46(self):
""" ipsec 4o6 tunnel basic test """
+ self.tun6_encrypt_node_name = "esp4-encrypt-tun"
self.verify_tun_46(self.params[socket.AF_INET6], count=1)
def test_tun_burst46(self):
""" ipsec 4o6 tunnel burst test """
+ self.tun6_encrypt_node_name = "esp4-encrypt-tun"
self.verify_tun_46(self.params[socket.AF_INET6], count=257)
""" IPsec IPv4 Multi Tunnel interface """
encryption_type = ESP
- tun4_encrypt_node_name = "esp4-encrypt"
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt"
def setUp(self):
""" IPsec IPv4 Tunnel interface all Algos """
encryption_type = ESP
- tun4_encrypt_node_name = "esp4-encrypt"
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt"
def config_network(self, p):
p.crypt_algo_vpp_id,
p.crypt_key, p.crypt_key,
p.auth_algo_vpp_id, p.auth_key,
- p.auth_key)
+ p.auth_key,
+ salt=p.salt)
p.tun_if.add_vpp_config()
p.tun_if.admin_up()
p.tun_if.config_ip4()
def tearDown(self):
super(TestIpsec4TunIfEspAll, self).tearDown()
+ def rekey(self, p):
+ #
+ # change the key and the SPI
+ #
+ p.crypt_key = 'X' + p.crypt_key[1:]
+ p.scapy_tun_spi += 1
+ p.scapy_tun_sa_id += 1
+ p.vpp_tun_spi += 1
+ p.vpp_tun_sa_id += 1
+ p.tun_if.local_spi = p.vpp_tun_spi
+ p.tun_if.remote_spi = p.scapy_tun_spi
+
+ config_tun_params(p, self.encryption_type, self.tun_if)
+
+ p.tun_sa_in = VppIpsecSA(self,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
+ p.auth_algo_vpp_id,
+ p.auth_key,
+ p.crypt_algo_vpp_id,
+ p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.local_addr[p.addr_type],
+ self.tun_if.remote_addr[p.addr_type],
+ flags=p.flags,
+ salt=p.salt)
+ p.tun_sa_out = VppIpsecSA(self,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
+ p.auth_algo_vpp_id,
+ p.auth_key,
+ p.crypt_algo_vpp_id,
+ p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.remote_addr[p.addr_type],
+ self.tun_if.local_addr[p.addr_type],
+ flags=p.flags,
+ salt=p.salt)
+ p.tun_sa_in.add_vpp_config()
+ p.tun_sa_out.add_vpp_config()
+
+ self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
+ sa_id=p.tun_sa_in.id,
+ is_outbound=1)
+ self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
+ sa_id=p.tun_sa_out.id,
+ is_outbound=0)
+ self.logger.info(self.vapi.cli("sh ipsec sa"))
+
def test_tun_44(self):
"""IPSEC tunnel all algos """
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 3333},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_192),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7hJPjyOWBe",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 0},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 9999},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7h"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192),
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256),
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
for engine in engines:
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
- p.crypt_salt = algo['salt']
+ p.salt = algo['salt']
self.config_network(p)
c = p.tun_if.get_tx_stats()
self.assertEqual(c['packets'], 127)
+ #
+ # rekey the tunnel
+ #
+ self.rekey(p)
+ self.verify_tun_44(p, count=127)
+
self.unconfig_network(p)
+ p.tun_sa_out.remove_vpp_config()
+ p.tun_sa_in.remove_vpp_config()
class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
""" IPsec IPv6 Multi Tunnel interface """
encryption_type = ESP
- tun6_encrypt_node_name = "esp6-encrypt"
+ tun6_encrypt_node_name = "esp6-encrypt-tun"
tun6_decrypt_node_name = "esp6-decrypt"
def setUp(self):
p.tun_if.admin_up()
p.tun_if.config_ip6()
- VppIpRoute(self, p.remote_tun_if_host, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)],
- is_ip6=1).add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host, 128,
+ [VppRoutePath(p.tun_if.remote_ip6,
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ r.add_vpp_config()
def tearDown(self):
if not self.vpp_dead: