From: Jan Gelety <jgelety@cisco.com>
Date: Mon, 29 Aug 2016 09:02:37 +0000 (+0200)
Subject: CSIT-383: IPSEC IPv4 negative test cases
X-Git-Url: https://gerrit.fd.io/r/gitweb?p=csit.git;a=commitdiff_plain;h=cdfe60613521e492157153bbe097fdc05193a593;hp=2494b7752574e4de0ffcba4ba113dada5b3b2d36

CSIT-383: IPSEC IPv4 negative test cases

- use integrity and/or encryption key(s) different from
  integrity and encryption keys stored on VPP node to create
  tx packet on TG

Change-Id: I38bf7e1dd6f488e605bad991c7a7f4d1ff226e8c
Signed-off-by: Jan Gelety <jgelety@cisco.com>
---

diff --git a/bootstrap.sh b/bootstrap.sh
index 96efa31361..f822badde5 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -203,7 +203,7 @@ if [ "$?" -ne "0" ]; then
     echo "However, the tests will start."
 fi
 
-PYTHONPATH=`pwd` pybot -L TRACE -W 145\
+PYTHONPATH=`pwd` pybot -L TRACE -W 136\
     -v TOPOLOGY_PATH:${SCRIPT_DIR}/topologies/enabled/topology.yaml \
     --suite "tests.func" \
     --include vm_envAND3_node_single_link_topo \
diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py
index 6cbd48fba3..e033e04b48 100644
--- a/resources/libraries/python/IPsecUtil.py
+++ b/resources/libraries/python/IPsecUtil.py
@@ -227,10 +227,9 @@ class IPsecUtil(object):
         """
         ckey = crypto_key.encode('hex')
         ikey = integ_key.encode('hex')
-        tunnel = ''
-        if tunnel_src is not None and tunnel_dst is not None:
-            tunnel = 'tunnel_src {0} tunnel_dst {1}'.format(tunnel_src,
-                                                            tunnel_dst)
+        tunnel = 'tunnel_src {0} tunnel_dst {1}'.format(tunnel_src, tunnel_dst)\
+            if tunnel_src is not None and tunnel_dst is not None else ''
+
         out = VatExecutor.cmd_from_template(node,
                                             "ipsec/ipsec_sad_add_entry.vat",
                                             sad_id=sad_id, spi=spi,
@@ -267,10 +266,9 @@ class IPsecUtil(object):
         :type spd_id: int
         :type interface: str or int
         """
-        if isinstance(interface, basestring):
-            sw_if_index = Topology.get_interface_sw_index(node, interface)
-        else:
-            sw_if_index = interface
+        sw_if_index = Topology.get_interface_sw_index(node, interface)\
+            if isinstance(interface, basestring) else interface
+
         out = VatExecutor.cmd_from_template(node,
                                             "ipsec/ipsec_interface_add_spd.vat",
                                             spd_id=spd_id, sw_if_id=sw_if_index)
diff --git a/resources/libraries/python/TrafficScriptExecutor.py b/resources/libraries/python/TrafficScriptExecutor.py
index a362f45066..33b3d6d520 100644
--- a/resources/libraries/python/TrafficScriptExecutor.py
+++ b/resources/libraries/python/TrafficScriptExecutor.py
@@ -81,6 +81,8 @@ class TrafficScriptExecutor(object):
                 raise RuntimeError("TCP/UDP Rx timeout")
             elif "Error occurred: ARP reply timeout" in stdout:
                 raise RuntimeError("ARP reply timeout")
+            elif "RuntimeError: ESP packet Rx timeout" in stderr:
+                raise RuntimeError("ESP packet Rx timeout")
             else:
                 raise RuntimeError("Traffic script execution failed")
 
diff --git a/resources/libraries/robot/default.robot b/resources/libraries/robot/default.robot
index 742906e94a..714bf3a251 100644
--- a/resources/libraries/robot/default.robot
+++ b/resources/libraries/robot/default.robot
@@ -18,6 +18,7 @@
 | Library | resources.libraries.python.DUTSetup
 | Library | resources.libraries.python.TGSetup
 | Library | resources/libraries/python/VppConfigGenerator.py
+| Library | resources/libraries/python/VppCounters.py
 | Library | Collections
 
 *** Keywords ***
@@ -35,6 +36,12 @@
 | | :FOR | ${dut} | IN | @{duts}
 | | | Vpp show version verbose | ${nodes['${dut}']}
 
+| Show Vpp Errors on All DUTs
+| | [Documentation] | Show VPP errors verbose on all DUTs
+| | ${duts}= | Get Matches | ${nodes} | DUT*
+| | :FOR | ${dut} | IN | @{duts}
+| | | Vpp Show Errors | ${nodes['${dut}']}
+
 | Show vpp trace dump on all DUTs
 | | [Documentation] | Save API trace and dump output on all DUTs
 | | ${duts}= | Get Matches | ${nodes} | DUT*
diff --git a/resources/traffic_scripts/ipsec.py b/resources/traffic_scripts/ipsec.py
index ff869ed2a0..13d44b8a51 100755
--- a/resources/traffic_scripts/ipsec.py
+++ b/resources/traffic_scripts/ipsec.py
@@ -174,8 +174,6 @@ def main():
 
     sent_packets = []
 
-    ip_pkt = None
-
     if is_ipv4:
         ip_pkt = IP(src=src_ip, dst=dst_ip) / \
                  ICMP()
@@ -195,7 +193,7 @@ def main():
     pkt_recv = rxq.recv(2, sent_packets)
 
     if pkt_recv is None:
-        raise RuntimeError('Rx timeout')
+        raise RuntimeError('ESP packet Rx timeout')
 
     if is_ipv4:
         check_ipv4(pkt_recv, src_tun, dst_ip, src_ip, sa_in)
diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
index 018447fe2d..7fce8d5390 100644
--- a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
+++ b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot
@@ -21,6 +21,7 @@
 | ...        | AND          | Setup Topology for IPv4 IPsec testing
 | Test Teardown | Run Keywords | VPP IPsec Show | ${dut_node}
 | ...           | AND          | Show Packet Trace on All DUTs | ${nodes}
+| ...           | AND          | Show Vpp Errors on All DUTs
 | ...           | AND          | Show vpp trace dump on all DUTs
 | Documentation | *IPv4 IPsec transport mode test suite.*
 | ...
@@ -58,7 +59,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -77,7 +78,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -96,7 +97,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -115,7 +116,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -133,7 +134,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -152,7 +153,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -171,7 +172,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -190,7 +191,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -208,7 +209,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -227,7 +228,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -246,7 +247,7 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
 
@@ -264,6 +265,83 @@
 | | When VPP Setup IPsec Manual Keyed Connection
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+
+| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}
diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
index 3491b85ce5..2261ae638a 100644
--- a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
+++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot
@@ -21,7 +21,8 @@
 | ...        | AND          | Setup Topology for IPv4 IPsec testing
 | Test Teardown | Run Keywords | VPP IPsec Show | ${dut_node}
 | ...           | AND          | Show Packet Trace on All DUTs | ${nodes}
-| ...           | AND          | Show vpp trace dump on all DUTs
+| ...           | AND          | Show Vpp Errors on All DUTs
+| ...           | AND          | Show Vpp Trace Dump on All DUTs
 | Documentation | *IPv4 IPsec tunnel mode test suite.*
 | ...
 | ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
@@ -58,7 +59,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -78,7 +79,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -98,7 +99,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -108,7 +109,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -119,7 +120,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -129,7 +130,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 192
@@ -139,7 +140,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -149,7 +150,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -160,7 +161,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -170,7 +171,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -181,7 +182,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -191,7 +192,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -202,7 +203,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -212,7 +213,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256
@@ -222,7 +223,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -232,7 +233,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -243,7 +244,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -253,7 +254,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | [Tags] | SKIP_PATCH
@@ -264,7 +265,7 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
@@ -274,7 +275,7 @@
 | | ... | [Top] TG-DUT1.
 | | ... | [Ref] RFC4303.
 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
 | | ... | mode.
 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
 | | ${encr_alg}= | Crypto Alg AES CBC 256
@@ -284,7 +285,86 @@
 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
 | | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
 | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
 | | ... | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When VPP Setup IPsec Manual Keyed Connection
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key}