CSIT-385 CSIT-386 IPv4/IPv6 IPsec tests

  - encryption/integrity key update tests

Change-Id: Iddbe35e2f421b5048e60663bff2b0bf1968a9782
Signed-off-by: Patrik Hrnciar <phrnciar@cisco.com>
Signed-off-by: Matej Klotton <mklotton@cisco.com>

diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py
index e033e04..70d44e0 100644 (file)
--- a/resources/libraries/python/IPsecUtil.py
+++ b/resources/libraries/python/IPsecUtil.py
@@ -240,6 +240,30 @@ class IPsecUtil(object):
             out[0],
             err_msg='Add SAD entry failed on {0}'.format(node['host']))
 
             out[0],
             err_msg='Add SAD entry failed on {0}'.format(node['host']))
 

+    @staticmethod
+    def vpp_ipsec_sa_set_key(node, sa_id, crypto_key, integ_key):
+        """Update Security Association (SA) keys.
+
+        :param node: VPP node to update SA keys.
+        :param sa_id: SAD entry ID.
+        :param crypto_key: The encryption key string.
+        :param integ_key: The integrity key string.
+        :type node: dict
+        :type sa_id: int
+        :type crypto_key: str
+        :type integ_key: str
+        """
+        ckey = crypto_key.encode('hex')
+        ikey = integ_key.encode('hex')
+
+        out = VatExecutor.cmd_from_template(node,
+                                            "ipsec/ipsec_sa_set_key.vat",
+                                            sa_id=sa_id,
+                                            ckey=ckey, ikey=ikey)
+        VatJsonUtil.verify_vat_retval(
+            out[0],
+            err_msg='Update SA key failed on {0}'.format(node['host']))
+

     @staticmethod
     def vpp_ipsec_add_spd(node, spd_id):
         """Create Security Policy Database on the VPP node.
     @staticmethod
     def vpp_ipsec_add_spd(node, spd_id):
         """Create Security Policy Database on the VPP node.

diff --git a/resources/libraries/robot/ipsec.robot b/resources/libraries/robot/ipsec.robot
index d4a2e44..92b292e 100644 (file)
--- a/resources/libraries/robot/ipsec.robot
+++ b/resources/libraries/robot/ipsec.robot
@@ -146,6 +146,10 @@
 | | ... | - l_tunnel - Local tunnel IP address (optional). Type: string
 | | ... | - r_tunnel - Remote tunnel IP address (optional). Type: string
 | | ...
 | | ... | - l_tunnel - Local tunnel IP address (optional). Type: string
 | | ... | - r_tunnel - Remote tunnel IP address (optional). Type: string
 | | ...

+| | ... | _NOTE:_ This KW sets following test case variables:
+| | ... | - l_sa_id
+| | ... | - r_sa_id
+| | ...

 | | ... | *Example:*
 | | ... | \| ${encr_alg}= \| Crypto Alg AES CBC 128 \|
 | | ... | \| ${auth_alg}= \| Integ Alg SHA1 96 \|
 | | ... | *Example:*
 | | ... | \| ${encr_alg}= \| Crypto Alg AES CBC 128 \|
 | | ... | \| ${auth_alg}= \| Integ Alg SHA1 96 \|


@@ -156,8 +160,8 @@
 | | [Arguments] | ${node} | ${interface} | ${crypto_alg} | ${crypto_key}
 | | ...         | ${integ_alg} | ${integ_key} | ${l_spi} | ${r_spi} | ${l_ip}
 | | ...         | ${r_ip} | ${l_tunnel}=${None} | ${r_tunnel}=${None}
 | | [Arguments] | ${node} | ${interface} | ${crypto_alg} | ${crypto_key}
 | | ...         | ${integ_alg} | ${integ_key} | ${l_spi} | ${r_spi} | ${l_ip}
 | | ...         | ${r_ip} | ${l_tunnel}=${None} | ${r_tunnel}=${None}

-| | ${l_sa_id}= | Set Variable | ${10}
-| | ${r_sa_id}= | Set Variable | ${20}
+| | Set Test Variable | ${l_sa_id} | ${10}
+| | Set Test Variable | ${r_sa_id} | ${20}

 | | ${spd_id}= | Set Variable | ${1}
 | | ${p_hi}= | Set Variable | ${100}
 | | ${p_lo}= | Set Variable | ${10}
 | | ${spd_id}= | Set Variable | ${1}
 | | ${p_hi}= | Set Variable | ${100}
 | | ${p_lo}= | Set Variable | ${10}


@@ -182,6 +186,26 @@
 | | ...                     | sa_id=${l_sa_id} | laddr_range=${l_ip}
 | | ...                     | raddr_range=${r_ip} | inbound=${FALSE}
 
 | | ...                     | sa_id=${l_sa_id} | laddr_range=${l_ip}
 | | ...                     | raddr_range=${r_ip} | inbound=${FALSE}
 

+| VPP Update IPsec SA Keys
+| | [Documentation] | Update IPsec SA keys on VPP node.
+| | ...
+| | ... | *Arguments:*
+| | ... | - node - VPP node to update SA keys. Type: dictionary
+| | ... | - l_sa_id - Local SA ID. Type: string
+| | ... | - r_sa_id - Remote SA ID. Type: string
+| | ... | - crypto_key - Encryption key. Type: string
+| | ... | - integ_key - Integrity key. Type: string
+| | ...
+| | ... | *Example:*
+| | ... | \| VPP Update IPsec SA Keys \| ${nodes['DUT1']} \
+| | ... | \| 10 \| 20 \| sixteenbytes_key \| twentybytessecretkey \|
+| | [Arguments] | ${node} | ${l_sa_id} | ${r_sa_id} | ${crypto_key}
+| | ...         | ${integ_key}
+| | VPP IPsec SA Set Key | ${dut_node} | ${l_sa_id} | ${crypto_key}
+| | ...                  | ${integ_key}
+| | VPP IPsec SA Set Key | ${dut_node} | ${r_sa_id} | ${crypto_key}
+| | ...                  | ${integ_key}
+

 | Send and Receive IPsec Packet
 | | [Documentation] | Send IPsec packet from TG to DUT. Receive IPsec packet\
 | | ...             | from DUT on TG and verify ESP encapsulation.
 | Send and Receive IPsec Packet
 | | [Documentation] | Send IPsec packet from TG to DUT. Receive IPsec packet\
 | | ...             | from DUT on TG and verify ESP encapsulation.

diff --git a/resources/templates/vat/ipsec/ipsec_sa_set_key.vat b/resources/templates/vat/ipsec/ipsec_sa_set_key.vat
new file mode 100644 (file)
index 0000000..96d570e
--- /dev/null
+++ b/resources/templates/vat/ipsec/ipsec_sa_set_key.vat
@@ -0,0 +1 @@
+ipsec_sa_set_key sa_id {sa_id} crypto_key {ckey} integ_key {ikey}
\ No newline at end of file

diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
index 7fce8d5..14ea198 100644 (file)
--- a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
+++ b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
@@ -338,10 +338,130 @@
 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 

+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+

 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}

+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ...                       | '${req_type}' == 'Integ' | ${auth_key}

 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}
 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}

-| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}

diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv6.robot b/tests/func/ipsec/ipsec_transport_mode_ipv6.robot
index 2e6b5dd..1128e4e 100644 (file)
--- a/tests/func/ipsec/ipsec_transport_mode_ipv6.robot
+++ b/tests/func/ipsec/ipsec_transport_mode_ipv6.robot
@@ -338,10 +338,130 @@
 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 

+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+

 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}

+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ...                       | '${req_type}' == 'Integ' | ${auth_key}

 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}
 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}

-| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}

diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
index 2261ae6..d59aae6 100644 (file)
--- a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
+++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
@@ -361,10 +361,142 @@
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
 
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
 

+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+

 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}

+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ...                       | '${req_type}' == 'Integ' | ${auth_key}

 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}
 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}

-| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}

diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot
index 48e3783..c1c2791 100644 (file)
--- a/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot
+++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot
@@ -110,7 +110,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -131,7 +131,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 192
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 192


@@ -151,7 +151,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -172,7 +172,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -193,7 +193,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -214,7 +214,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256


@@ -234,7 +234,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -255,7 +255,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH


@@ -276,7 +276,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\

-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\

 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256


@@ -362,10 +362,142 @@
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
 
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
 

+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+

 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
 *** Keywords ***
 | Get Second Random String
 | | [Arguments] | ${req_alg} | ${req_type}
 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}

+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ...                       | '${req_type}' == 'Integ' | ${auth_key}

 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}
 | | :FOR | ${index} | IN RANGE | 100
 | | | ${req_key}= | Generate Random String | ${req_key_len}

-| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}