X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=test%2Ftest_ipsec_tun_if_esp.py;h=5131fbefe7de2634f65aa77a23fac05b52efac29;hb=cb3372ddc87ef35a74da4dabc2046f760e386b05;hp=5aa304dcdc000da5a2b31f2a512ff7854127b6d6;hpb=e95b246c7b87bf2a1d51d2061c72a9824a6ff047;p=vpp.git diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 5aa304dcdc0..5131fbefe7d 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -5,11 +5,10 @@ import copy from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether, GRE, Dot1Q from scapy.packet import Raw, bind_layers -from scapy.layers.inet import IP, UDP -from scapy.layers.inet6 import IPv6 +from scapy.layers.inet import IP, UDP, ICMP +from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest from scapy.contrib.mpls import MPLS -from framework import tag_fixme_vpp_workers, tag_fixme_ubuntu2204 -from framework import VppTestRunner +from asfframework import VppTestRunner, tag_fixme_vpp_workers from template_ipsec import ( TemplateIpsec, IpsecTun4Tests, @@ -70,7 +69,7 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): p.scapy_tun_sa = SecurityAssociation( encryption_type, - spi=p.vpp_tun_spi, + spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, @@ -81,7 +80,7 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): ) p.vpp_tun_sa = SecurityAssociation( encryption_type, - spi=p.scapy_tun_spi, + spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, @@ -114,7 +113,7 @@ def config_tra_params(p, encryption_type, tun_if): p.scapy_tun_sa = SecurityAssociation( encryption_type, - spi=p.vpp_tun_spi, + spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, @@ -124,7 +123,7 @@ def config_tra_params(p, encryption_type, tun_if): ) p.vpp_tun_sa = SecurityAssociation( encryption_type, - spi=p.scapy_tun_spi, + spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, @@ -147,8 +146,8 @@ class TemplateIpsec4TunProtect(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -160,8 +159,8 @@ class TemplateIpsec4TunProtect(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -176,8 +175,8 @@ class TemplateIpsec4TunProtect(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -191,8 +190,8 @@ class TemplateIpsec4TunProtect(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -300,7 +299,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): # which strips them self.assertTrue(rx.haslayer(UDP)) self.assert_equal(rx[UDP].sport, p.nat_header.sport) - self.assert_equal(rx[UDP].dport, 4500) + self.assert_equal(rx[UDP].dport, p.nat_header.dport) pkt = sa.decrypt(rx[IP]) if not pkt.haslayer(IP): @@ -322,8 +321,8 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -337,14 +336,15 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, - flags=p.flags, + flags=p.flags + | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport, ) @@ -367,6 +367,29 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): super(TemplateIpsec4TunIfEspUdp, self).tearDown() +class TemplateIpsec4TunTfc: + """IPsec IPv4 tunnel with TFC""" + + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): + pkt = ( + IP(src=src, dst=dst, len=28 + payload_size) + / ICMP() + / Raw(b"X" * payload_size) + / Padding(b"Y" * 100) + ) + return [ + Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(pkt) + for i in range(count) + ] + + def verify_decrypted(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[IP].src, p.remote_tun_if_host) + self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) + self.assert_equal(rx[IP].len, len(rx[IP])) + self.assert_packet_checksums_valid(rx) + + class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests): """Ipsec ESP - TUN tests""" @@ -429,6 +452,24 @@ class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): p.salt = 0 +class TestIpsec4TunIfEspUdpUpdate(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): + """Ipsec ESP UDP update tests""" + + tun4_input_node = "ipsec4-tun-input" + + def setUp(self): + super(TestIpsec4TunIfEspUdpUpdate, self).setUp() + p = self.ipv4_params + p.nat_header = UDP(sport=6565, dport=7676) + config_tun_params(p, self.encryption_type, p.tun_if) + p.tun_sa_in.update_vpp_config( + udp_src=p.nat_header.dport, udp_dst=p.nat_header.sport + ) + p.tun_sa_out.update_vpp_config( + udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport + ) + + class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests): """Ipsec ESP - TCP tests""" @@ -443,8 +484,8 @@ class TemplateIpsec6TunProtect(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -455,8 +496,8 @@ class TemplateIpsec6TunProtect(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -470,8 +511,8 @@ class TemplateIpsec6TunProtect(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -484,8 +525,8 @@ class TemplateIpsec6TunProtect(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -583,7 +624,7 @@ class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): # which strips them self.assertTrue(rx.haslayer(UDP)) self.assert_equal(rx[UDP].sport, p.nat_header.sport) - self.assert_equal(rx[UDP].dport, 4500) + self.assert_equal(rx[UDP].dport, p.nat_header.dport) pkt = sa.decrypt(rx[IP]) if not pkt.haslayer(IP): @@ -607,8 +648,8 @@ class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -622,14 +663,15 @@ class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, - flags=p.flags, + flags=p.flags + | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport, ) @@ -652,6 +694,28 @@ class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): super(TemplateIpsec6TunIfEspUdp, self).tearDown() +class TemplateIpsec6TunTfc: + """IPsec IPv6 tunnel with TFC""" + + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): + return [ + Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) + / sa.encrypt( + IPv6(src=src, dst=dst, hlim=p.inner_hop_limit, fl=p.inner_flow_label) + / ICMPv6EchoRequest(id=0, seq=1, data="X" * payload_size) + / Padding(b"Y" * 100) + ) + for i in range(count) + ] + + def verify_decrypted6(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[IPv6].src, p.remote_tun_if_host) + self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) + self.assert_equal(rx[IPv6].plen, len(rx[IPv6].payload)) + self.assert_packet_checksums_valid(rx) + + class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests): """Ipsec ESP 6 UDP tests""" @@ -944,7 +1008,6 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4 self.verify_encrypted(p, p.vpp_tun_sa, [rx]) -@tag_fixme_ubuntu2204 class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): """IPsec IPv4 Tunnel interface all Algos""" @@ -987,8 +1050,8 @@ class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -999,8 +1062,8 @@ class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): ) p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1293,8 +1356,8 @@ class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1307,8 +1370,8 @@ class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1428,8 +1491,8 @@ class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1442,8 +1505,8 @@ class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1552,8 +1615,8 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1564,8 +1627,8 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1676,8 +1739,8 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1691,8 +1754,8 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1800,8 +1863,8 @@ class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1814,8 +1877,8 @@ class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1919,8 +1982,8 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1931,8 +1994,8 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -1971,6 +2034,8 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): self.send_and_assert_no_replies(self.tun_if, tx) node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0] self.assertEqual(1, self.statistics.get_err_counter(node_name)) + err = p.tun_sa_in.get_err("unsup_payload") + self.assertEqual(err, 1) class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests): @@ -2037,8 +2102,8 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2049,8 +2114,8 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2176,8 +2241,8 @@ class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): p.vpp_tra_spi = p.vpp_tra_spi + ii p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2188,8 +2253,8 @@ class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2333,8 +2398,8 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6): p.vpp_tra_spi = p.vpp_tra_spi + ii p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2345,8 +2410,8 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2449,9 +2514,14 @@ class TestIpsec4TunProtect(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsec4TunProtectTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtect): + """IPsec IPv4 Tunnel protect with TFC - transport mode""" + + @tag_fixme_vpp_workers class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): - """IPsec IPv4 Tunnel protect - transport mode""" + """IPsec IPv4 UDP Tunnel protect - transport mode""" def setUp(self): super(TestIpsec4TunProtectUdp, self).setUp() @@ -2493,6 +2563,11 @@ class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4 self.verify_keepalive(self.ipv4_params) +@tag_fixme_vpp_workers +class TestIpsec4TunProtectUdpTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtectUdp): + """IPsec IPv4 UDP Tunnel protect with TFC - transport mode""" + + @tag_fixme_vpp_workers class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): """IPsec IPv4 Tunnel protect - tunnel mode""" @@ -2767,6 +2842,11 @@ class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsec6TunProtectTfc(TemplateIpsec6TunTfc, TestIpsec6TunProtect): + """IPsec IPv6 Tunnel protect with TFC - transport mode""" + + @tag_fixme_vpp_workers class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): """IPsec IPv6 Tunnel protect - tunnel mode""" @@ -2934,8 +3014,8 @@ class TemplateIpsecItf4(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2949,8 +3029,8 @@ class TemplateIpsecItf4(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -2958,7 +3038,8 @@ class TemplateIpsecItf4(object): self.vpp_esp_protocol, dst, src, - flags=p.flags, + flags=p.flags + | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, ) p.tun_sa_in.add_vpp_config() @@ -3064,6 +3145,20 @@ class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): self.tun4_encrypt_node_name = "esp4-encrypt-tun" + # update the SA tunnel + config_tun_params( + p, self.encryption_type, None, self.pg2.local_ip4, self.pg2.remote_ip4 + ) + p.tun_sa_in.update_vpp_config( + is_tun=True, tun_src=self.pg2.remote_ip4, tun_dst=self.pg2.local_ip4 + ) + p.tun_sa_out.update_vpp_config( + is_tun=True, tun_src=self.pg2.local_ip4, tun_dst=self.pg2.remote_ip4 + ) + self.verify_tun_44(p, count=n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), 5 * n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), 4 * n_pkts) + self.vapi.cli("clear interfaces") # rekey - create new SAs and update the tunnel protection @@ -3168,6 +3263,11 @@ class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsecItf4Tfc(TemplateIpsec4TunTfc, TestIpsecItf4): + """IPsec Interface IPv4 with TFC""" + + class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): """IPsec Interface MPLSoIPv4""" @@ -3264,8 +3364,8 @@ class TemplateIpsecItf6(object): p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -3281,8 +3381,8 @@ class TemplateIpsecItf6(object): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -3480,6 +3580,11 @@ class TestIpsecItf6(TemplateIpsec, TemplateIpsecItf6, IpsecTun6): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsecItf6Tfc(TemplateIpsec6TunTfc, TestIpsecItf6): + """IPsec Interface IPv6 with TFC""" + + class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): """Ipsec P2MP ESP v4 tests""" @@ -3576,8 +3681,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): p.hop_limit = ii + 10 p.tun_sa_out = VppIpsecSA( self, - p.scapy_tun_sa_id, - p.scapy_tun_spi, + p.vpp_tun_sa_id, + p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, @@ -3592,8 +3697,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): p.tun_sa_in = VppIpsecSA( self, - p.vpp_tun_sa_id, - p.vpp_tun_spi, + p.scapy_tun_sa_id, + p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id,