CSIT-859: KW to add crypto SW device to startup.conf 62/9462/22
authorJan Gelety <jgelety@cisco.com>
Thu, 16 Nov 2017 17:47:05 +0000 (18:47 +0100)
committerTibor Frank <tifrank@cisco.com>
Wed, 29 Nov 2017 17:24:19 +0000 (17:24 +0000)
Change-Id: I8441d58a2d7f604b64fff358a3cef8d72289dcdc
Signed-off-by: Jan Gelety <jgelety@cisco.com>
15 files changed:
bootstrap.sh
resources/libraries/python/VppConfigGenerator.py
resources/libraries/robot/crypto/ipsec.robot
resources/libraries/robot/shared/default.robot
tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot with 100% similarity]
tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot [moved from tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot with 100% similarity]
tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot [new file with mode: 0644]
tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot [new file with mode: 0644]

index ebbe752..9c8c071 100755 (executable)
@@ -92,7 +92,7 @@ VIRL_SERVER_EXPECTED_STATUS="PRODUCTION"
 
 SSH_OPTIONS="-i ${VIRL_PKEY} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes -o LogLevel=error"
 
-TEST_GROUPS=("crypto,ip4_tunnels.softwire,ip4_tunnels.vxlan,telemetry" "ip4,ip4_tunnels.gre,ip4_tunnels.lisp,ip6_tunnels.vxlan,vm_vhost.ip4,vm_vhost.ip6" "interfaces,ip6,ip6_tunnels.lisp,l2bd,l2xc,vm_vhost.l2bd,vm_vhost.l2xc")
+TEST_GROUPS=("crypto,ip4_tunnels.softwire,ip4_tunnels.vxlan" "ip4,ip4_tunnels.gre,ip4_tunnels.lisp,ip6_tunnels.vxlan,ip6_tunnels.lisp,vm_vhost.ip4,vm_vhost.ip6" "interfaces,ip6,l2bd,l2xc,vm_vhost.l2bd,vm_vhost.l2xc,telemetry")
 SUITE_PATH="tests.vpp.func"
 SKIP_PATCH="SKIP_PATCH"
 
index 2586202..eccada9 100644 (file)
@@ -38,6 +38,12 @@ class VppConfigGenerator(object):
         self._vpp_config = ''
         # VPP Service name
         self._vpp_service_name = 'vpp'
+        # VPP Logfile location
+        self._vpp_logfile = '/tmp/vpe.log'
+        # VPP Startup config location
+        self._vpp_startup_conf = '/etc/vpp/startup.conf'
+        # VPP Startup config backup location
+        self._vpp_startup_conf_backup = None
 
     def set_node(self, node):
         """Set DUT node.
@@ -52,6 +58,22 @@ class VppConfigGenerator(object):
         self._node = node
         self._hostname = Topology.get_node_hostname(node)
 
+    def set_vpp_logfile(self, logfile):
+        """Set VPP logfile location.
+
+        :param logfile: VPP logfile location.
+        :type logfile: str
+        """
+        self._vpp_logfile = logfile
+
+    def set_vpp_startup_conf_backup(self, backup='/etc/vpp/startup.backup'):
+        """Set VPP startup configuration backup.
+
+        :param backup: VPP logfile location.
+        :type backup: str
+        """
+        self._vpp_startup_conf_backup = backup
+
     def get_config_str(self):
         """Get dumped startup configuration in VPP config format.
 
@@ -105,24 +127,35 @@ class VppConfigGenerator(object):
         if level >= 0:
             self._vpp_config += '{}}}\n'.format(level * indent)
 
-    def add_unix_log(self, value='/tmp/vpe.log'):
+    def add_unix_log(self, value=None):
         """Add UNIX log configuration.
 
         :param value: Log file.
         :type value: str
         """
         path = ['unix', 'log']
+        if value is None:
+            value = self._vpp_logfile
         self.add_config_item(self._nodeconfig, value, path)
 
     def add_unix_cli_listen(self, value='localhost:5002'):
         """Add UNIX cli-listen configuration.
 
-        :param value: CLI listen address and port.
+        :param value: CLI listen address and port or path to CLI socket.
         :type value: str
         """
         path = ['unix', 'cli-listen']
         self.add_config_item(self._nodeconfig, value, path)
 
+    def add_unix_gid(self, value='vpp'):
+        """Add UNIX gid configuration.
+
+        :param value: Gid.
+        :type value: str
+        """
+        path = ['unix', 'gid']
+        self.add_config_item(self._nodeconfig, value, path)
+
     def add_unix_nodaemon(self):
         """Add UNIX nodaemon configuration."""
         path = ['unix', 'nodaemon']
@@ -138,6 +171,15 @@ class VppConfigGenerator(object):
         path = ['unix', 'exec']
         self.add_config_item(self._nodeconfig, value, path)
 
+    def add_api_segment_gid(self, value='vpp'):
+        """Add API-SEGMENT gid configuration.
+
+        :param value: Gid.
+        :type value: str
+        """
+        path = ['api-segment', 'gid']
+        self.add_config_item(self._nodeconfig, value, path)
+
     def add_dpdk_dev(self, *devices):
         """Add DPDK PCI device configuration.
 
@@ -158,7 +200,7 @@ class VppConfigGenerator(object):
     def add_dpdk_cryptodev(self, count):
         """Add DPDK Crypto PCI device configuration.
 
-        :param count: Number of crypto devices to add.
+        :param count: Number of HW crypto devices to add.
         :type count: int
         """
         cryptodev = Topology.get_cryptodev(self._node)
@@ -169,6 +211,18 @@ class VppConfigGenerator(object):
             self.add_config_item(self._nodeconfig, '', path)
         self.add_dpdk_uio_driver('igb_uio')
 
+    def add_dpdk_sw_cryptodev(self, count):
+        """Add DPDK Crypto SW device configuration.
+
+        :param count: Number of crypto SW devices to add.
+        :type count: int
+        """
+        for i in range(count):
+            cryptodev_config = 'vdev cryptodev_aesni_mb_pmd,socket_id={0}'.\
+                format(str(i))
+            path = ['dpdk', cryptodev_config]
+            self.add_config_item(self._nodeconfig, '', path)
+
     def add_dpdk_dev_default_rxq(self, value):
         """Add DPDK dev default rxq configuration.
 
@@ -297,7 +351,7 @@ class VppConfigGenerator(object):
         path = ['nat']
         self.add_config_item(self._nodeconfig, value, path)
 
-    def apply_config(self, filename='/etc/vpp/startup.conf', waittime=5,
+    def apply_config(self, filename=None, waittime=5,
                      retries=12, restart_vpp=True):
         """Generate and apply VPP configuration for node.
 
@@ -312,14 +366,26 @@ class VppConfigGenerator(object):
         :type waittime: int
         :type retries: int
         :type restart_vpp: bool.
-        :raises RuntimeError: If writing config file failed, or restarting of
-        VPP failed.
+        :raises RuntimeError: If writing config file failed or restart of VPP
+            failed or backup of VPP startup.conf failed.
         """
         self.dump_config(self._nodeconfig)
 
         ssh = SSH()
         ssh.connect(self._node)
 
+        if filename is None:
+            filename = self._vpp_startup_conf
+
+        if self._vpp_startup_conf_backup is not None:
+            (ret, _, _) = \
+                ssh.exec_command('sudo cp {0} {1}'.
+                                 format(self._vpp_startup_conf,
+                                        self._vpp_startup_conf_backup))
+            if ret != 0:
+                raise RuntimeError('Backup of config file failed on node {}'.
+                                   format(self._hostname))
+
         (ret, _, _) = \
             ssh.exec_command('echo "{config}" | sudo tee {filename}'.
                              format(config=self._vpp_config,
@@ -346,11 +412,27 @@ class VppConfigGenerator(object):
             # and verify if VPP is running.
             for _ in range(retries):
                 time.sleep(waittime)
-                (ret, _, _) = \
+                (ret, stdout, _) = \
                     ssh.exec_command('echo show hardware-interfaces | '
                                      'nc 0 5002 || echo "VPP not yet running"')
-                if ret == 0:
+                if ret == 0 and stdout != 'VPP not yet running':
                     break
             else:
                 raise RuntimeError('VPP failed to restart on node {}'.
                                    format(self._hostname))
+
+    def restore_config(self):
+        """Restore VPP startup.conf from backup.
+
+        :raises RuntimeError: When restoration of startup.conf file failed.
+        """
+
+        ssh = SSH()
+        ssh.connect(self._node)
+
+        (ret, _, _) = ssh.exec_command('sudo cp {0} {1}'.
+                                       format(self._vpp_startup_conf_backup,
+                                              self._vpp_startup_conf))
+        if ret != 0:
+            raise RuntimeError('Restoration of config file failed on node {}'.
+                               format(self._hostname))
index 74a1a53..80d2937 100644 (file)
 
 | Set up IPv4 IPSec functional test
 | | [Documentation]
-| | ... | Set up IPv4 IPSec functional test
+| | ... | Set up IPv4 IPSec functional test.
 | | ...
 | | Set up functional test
 | | Configure topology for IPv4 IPsec testing
 
 | Set up IPv6 IPSec functional test
 | | [Documentation]
-| | ... | Set up IPv6 IPSec functional test
+| | ... | Set up IPv6 IPSec functional test.
 | | ...
 | | Set up functional test
 | | Configure topology for IPv6 IPsec testing
 
 | Tear down IPSec functional test
 | | [Documentation]
-| | ... | Tear down IPSec functional test
+| | ... | Tear down IPSec functional test.
 | | ...
 | | ... | *Example:*
 | | ...
 | | ...
 | | VPP IPsec Show | ${dut_node}
 | | Tear down functional test
+
+| Set up IPSec SW device functional test
+| | [Documentation]
+| | ... | Set up IPSec SW device functional test for required IP version.
+| | ...
+| | ... | *Arguments:*
+| | ... | - ${ip_version} - IP version: IPv4 or IPv6. Type: string
+| | ...
+| | ... | *Example:*
+| | ...
+| | ... | \| Set up IPSec SW device functional test \| IPv4 \|
+| | ...
+| | [Arguments] | ${ip_version}
+| | ...
+| | ${duts}= | Get Matches | ${nodes} | DUT*
+| | :FOR | ${dut} | IN | @{duts}
+| | | Import Library | resources.libraries.python.VppConfigGenerator
+| | | ... | WITH NAME | ${dut}
+| | | Run keyword | ${dut}.Set Node | ${nodes['${dut}']}
+| | | Run keyword | ${dut}.Set Vpp Startup Conf Backup
+| | | Run keyword | ${dut}.Set Vpp Logfile | /tmp/vpp.log
+| | | Run keyword | ${dut}.Add Unix Nodaemon
+| | | Run keyword | ${dut}.Add Unix Log
+| | | Run keyword | ${dut}.Add Unix Coredump
+| | | Run keyword | ${dut}.Add Unix CLI Listen | /run/vpp/cli.sock
+| | | Run keyword | ${dut}.Add Unix Gid
+| | | Run keyword | ${dut}.Add Api Segment Gid
+| | | Run keyword | ${dut}.Add DPDK SW Cryptodev | ${1}
+| | Apply startup configuration on all VPP DUTs | restart_vpp=${FALSE}
+| | Set up functional test
+| | Run Keyword | Configure topology for ${ip_version} IPsec testing
+
+| Tear down IPSec SW device functional test
+| | [Documentation]
+| | ... | Tear down IPSec SW device functional test.
+| | ...
+| | ${duts}= | Get Matches | ${nodes} | DUT*
+| | :FOR | ${dut} | IN | @{duts}
+| | | VPP IPsec Show | ${nodes['${dut}']}
+| | | Run keyword | ${dut}.Restore Config
+| | Tear down functional test
index 6c80f98..74ad8d3 100644 (file)
@@ -24,7 +24,6 @@
 | Library | resources.libraries.python.TGSetup
 | Library | resources.libraries.python.L2Util
 | Library | resources.libraries.python.Tap
-| Library | resources.libraries.python.VppConfigGenerator
 | Library | resources.libraries.python.VppCounters
 | Library | resources.libraries.python.VPPUtil
 | Library | resources.libraries.python.Trace
 | | :FOR | ${dut} | IN | @{duts}
 | | | Run keyword | ${dut}.Add DPDK Cryptodev | ${count}
 
+| Add crypto SW device on all DUTs
+| | [Documentation] | Add required number of crypto SW devices to VPP startup
+| | ... | configuration on all DUTs.
+| | ...
+| | ... | *Arguments:*
+| | ... | - ${count} - Number of SW crypto devices. Type: integer
+| | ...
+| | ... | *Example:*
+| | ...
+| | ... | \| Add SW cryptodev on all DUTs \| ${4} \|
+| | ...
+| | [Arguments] | ${count}
+| | ${duts}= | Get Matches | ${nodes} | DUT*
+| | :FOR | ${dut} | IN | @{duts}
+| | | Run keyword | ${dut}.Add DPDK SW Cryptodev | ${count}
+
 | Apply startup configuration on all VPP DUTs
 | | [Documentation] | Write startup configuration and restart VPP on all DUTs.
 | | ...
+| | ... | *Arguments:*
+| | ... | - ${restart_vpp} - Whether to restart VPP (Optional). Type: boolean
+| | ...
+| | ... | *Example:*
+| | ...
+| | ... | \| Apply startup configuration on all VPP DUTs \| ${False} \|
+| | ...
+| | [Arguments] | ${restart_vpp}=${True}
+| | ...
 | | ${duts}= | Get Matches | ${nodes} | DUT*
 | | :FOR | ${dut} | IN | @{duts}
-| | | Run keyword | ${dut}.Apply Config
-| | Update All Interface Data On All Nodes | ${nodes} | skip_tg=${TRUE}
+| | | Run keyword | ${dut}.Apply Config | restart_vpp=${restart_vpp}
+| | Update All Interface Data On All Nodes | ${nodes} | skip_tg=${True}
 
 | Save VPP PIDs
 | | [Documentation] | Get PIDs of VPP processes from all DUTs in topology and\
diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot
new file mode 100644 (file)
index 0000000..7f6207e
--- /dev/null
@@ -0,0 +1,560 @@
+# Copyright (c) 2017 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | IPSEC | IPSEC_SW
+| ...
+| Test Setup | Set up IPSec SW device functional test | IPv4
+| ...
+| Test Teardown | Tear down IPSec SW device functional test
+| ...
+| Documentation | *IPv4 SW cryptodev IPsec tunnel mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\
+| ... | loopback interface, configure loopback and physical interface IPv4\
+| ... | addresses, static ARP record, route and IPsec manual keyed connection\
+| ... | in tunnel mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ...
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot
new file mode 100644 (file)
index 0000000..85d77be
--- /dev/null
@@ -0,0 +1,535 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | IPSEC | IPSEC_SW
+| ...
+| Test Setup | Set up IPSec SW device functional test | IPv4
+| ...
+| Test Teardown | Tear down IPSec SW device functional test
+| ...
+| Documentation | *IPv4 IPsec transport mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\
+| ... | loopback interface, configure loopback and physical interface IPv4\
+| ... | addresses, static ARP record, route and IPsec manual keyed connection\
+| ... | in transport mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+
+| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ...
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}

©2016 FD.io a Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation. Linux is a registered trademark of Linus Torvalds.
Please see our privacy policy and terms of use.