4 from scapy.layers.inet import IP, ICMP, TCP, UDP
5 from scapy.layers.ipsec import SecurityAssociation
6 from scapy.layers.l2 import Ether, Raw
7 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
9 from framework import VppTestCase, VppTestRunner
10 from util import ppp, reassemble4
11 from vpp_papi import VppEnum
14 class IPsecIPv4Params(object):
16 addr_type = socket.AF_INET
18 addr_bcast = "255.255.255.255"
23 self.remote_tun_if_host = '1.1.1.1'
24 self.remote_tun_if_host6 = '1111::1'
26 self.scapy_tun_sa_id = 10
27 self.scapy_tun_spi = 1001
28 self.vpp_tun_sa_id = 20
29 self.vpp_tun_spi = 1000
31 self.scapy_tra_sa_id = 30
32 self.scapy_tra_spi = 2001
33 self.vpp_tra_sa_id = 40
34 self.vpp_tra_spi = 2000
36 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
37 IPSEC_API_INTEG_ALG_SHA1_96)
38 self.auth_algo = 'HMAC-SHA1-96' # scapy name
39 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
41 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
42 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
43 self.crypt_algo = 'AES-CBC' # scapy name
44 self.crypt_key = 'JPjyOWBeVEQiMe7h'
47 self.nat_header = None
50 class IPsecIPv6Params(object):
52 addr_type = socket.AF_INET6
54 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
59 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
60 self.remote_tun_if_host4 = '1.1.1.1'
62 self.scapy_tun_sa_id = 50
63 self.scapy_tun_spi = 3001
64 self.vpp_tun_sa_id = 60
65 self.vpp_tun_spi = 3000
67 self.scapy_tra_sa_id = 70
68 self.scapy_tra_spi = 4001
69 self.vpp_tra_sa_id = 80
70 self.vpp_tra_spi = 4000
72 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
73 IPSEC_API_INTEG_ALG_SHA1_96)
74 self.auth_algo = 'HMAC-SHA1-96' # scapy name
75 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
77 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
78 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
79 self.crypt_algo = 'AES-CBC' # scapy name
80 self.crypt_key = 'JPjyOWBeVEQiMe7h'
83 self.nat_header = None
86 def config_tun_params(p, encryption_type, tun_if):
87 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
88 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
89 IPSEC_API_SAD_FLAG_USE_ESN))
90 p.scapy_tun_sa = SecurityAssociation(
91 encryption_type, spi=p.vpp_tun_spi,
92 crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
93 auth_algo=p.auth_algo, auth_key=p.auth_key,
94 tunnel_header=ip_class_by_addr_type[p.addr_type](
95 src=tun_if.remote_addr[p.addr_type],
96 dst=tun_if.local_addr[p.addr_type]),
97 nat_t_header=p.nat_header,
99 p.vpp_tun_sa = SecurityAssociation(
100 encryption_type, spi=p.scapy_tun_spi,
101 crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
102 auth_algo=p.auth_algo, auth_key=p.auth_key,
103 tunnel_header=ip_class_by_addr_type[p.addr_type](
104 dst=tun_if.remote_addr[p.addr_type],
105 src=tun_if.local_addr[p.addr_type]),
106 nat_t_header=p.nat_header,
110 def config_tra_params(p, encryption_type):
111 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
112 IPSEC_API_SAD_FLAG_USE_ESN))
113 p.scapy_tra_sa = SecurityAssociation(
116 crypt_algo=p.crypt_algo,
117 crypt_key=p.crypt_key + p.crypt_salt,
118 auth_algo=p.auth_algo,
120 nat_t_header=p.nat_header,
122 p.vpp_tra_sa = SecurityAssociation(
125 crypt_algo=p.crypt_algo,
126 crypt_key=p.crypt_key + p.crypt_salt,
127 auth_algo=p.auth_algo,
129 nat_t_header=p.nat_header,
133 class TemplateIpsec(VppTestCase):
138 |tra_if| <-------> |VPP|
143 ------ encrypt --- plain ---
144 |tun_if| <------- |VPP| <------ |pg1|
147 ------ decrypt --- plain ---
148 |tun_if| -------> |VPP| ------> |pg1|
154 def ipsec_select_backend(self):
155 """ empty method to be overloaded when necessary """
160 super(TemplateIpsec, cls).setUpClass()
163 def tearDownClass(cls):
164 super(TemplateIpsec, cls).tearDownClass()
166 def setup_params(self):
167 self.ipv4_params = IPsecIPv4Params()
168 self.ipv6_params = IPsecIPv6Params()
169 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
170 self.ipv6_params.addr_type: self.ipv6_params}
172 def config_interfaces(self):
173 self.create_pg_interfaces(range(3))
174 self.interfaces = list(self.pg_interfaces)
175 for i in self.interfaces:
183 super(TemplateIpsec, self).setUp()
187 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
189 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
192 self.config_interfaces()
194 self.ipsec_select_backend()
196 def unconfig_interfaces(self):
197 for i in self.interfaces:
203 super(TemplateIpsec, self).tearDown()
205 self.unconfig_interfaces()
207 def show_commands_at_teardown(self):
208 self.logger.info(self.vapi.cli("show hardware"))
210 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
212 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
213 sa.encrypt(IP(src=src, dst=dst) /
214 ICMP() / Raw('X' * payload_size))
215 for i in range(count)]
217 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
219 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
220 sa.encrypt(IPv6(src=src, dst=dst) /
221 ICMPv6EchoRequest(id=0, seq=1,
222 data='X' * payload_size))
223 for i in range(count)]
225 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
226 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
227 IP(src=src, dst=dst) / ICMP() / Raw('X' * payload_size)
228 for i in range(count)]
230 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
231 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
232 IPv6(src=src, dst=dst) /
233 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
234 for i in range(count)]
237 class IpsecTcp(object):
238 def verify_tcp_checksum(self):
239 self.vapi.cli("test http server")
240 p = self.params[socket.AF_INET]
241 config_tun_params(p, self.encryption_type, self.tun_if)
242 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
243 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
244 dst=self.tun_if.local_ip4) /
245 TCP(flags='S', dport=80)))
246 self.logger.debug(ppp("Sending packet:", send))
247 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
249 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
250 self.assert_packet_checksums_valid(decrypted)
253 class IpsecTcpTests(IpsecTcp):
254 def test_tcp_checksum(self):
255 """ verify checksum correctness for vpp generated packets """
256 self.verify_tcp_checksum()
259 class IpsecTra4(object):
260 """ verify methods for Transport v4 """
261 def verify_tra_anti_replay(self, count=1):
262 p = self.params[socket.AF_INET]
263 use_esn = p.vpp_tra_sa.use_esn
265 # fire in a packet with seq number 1
266 pkt = (Ether(src=self.tra_if.remote_mac,
267 dst=self.tra_if.local_mac) /
268 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
269 dst=self.tra_if.local_ip4) /
272 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
274 # now move the window over to 235
275 pkt = (Ether(src=self.tra_if.remote_mac,
276 dst=self.tra_if.local_mac) /
277 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
278 dst=self.tra_if.local_ip4) /
281 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
283 # replayed packets are dropped
284 self.send_and_assert_no_replies(self.tra_if, pkt * 3)
285 self.assert_packet_counter_equal(
286 '/err/%s/SA replayed packet' % self.tra4_decrypt_node_name, 3)
288 # the window size is 64 packets
289 # in window are still accepted
290 pkt = (Ether(src=self.tra_if.remote_mac,
291 dst=self.tra_if.local_mac) /
292 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
293 dst=self.tra_if.local_ip4) /
296 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
298 # a packet that does not decrypt does not move the window forward
299 bogus_sa = SecurityAssociation(self.encryption_type,
301 pkt = (Ether(src=self.tra_if.remote_mac,
302 dst=self.tra_if.local_mac) /
303 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
304 dst=self.tra_if.local_ip4) /
307 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
309 self.assert_packet_counter_equal(
310 '/err/%s/Integrity check failed' % self.tra4_decrypt_node_name, 17)
312 # which we can determine since this packet is still in the window
313 pkt = (Ether(src=self.tra_if.remote_mac,
314 dst=self.tra_if.local_mac) /
315 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
316 dst=self.tra_if.local_ip4) /
319 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
321 # out of window are dropped
322 pkt = (Ether(src=self.tra_if.remote_mac,
323 dst=self.tra_if.local_mac) /
324 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
325 dst=self.tra_if.local_ip4) /
328 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
331 # an out of window error with ESN looks like a high sequence
332 # wrap. but since it isn't then the verify will fail.
333 self.assert_packet_counter_equal(
334 '/err/%s/Integrity check failed' %
335 self.tra4_decrypt_node_name, 34)
338 self.assert_packet_counter_equal(
339 '/err/%s/SA replayed packet' %
340 self.tra4_decrypt_node_name, 20)
342 # valid packet moves the window over to 236
343 pkt = (Ether(src=self.tra_if.remote_mac,
344 dst=self.tra_if.local_mac) /
345 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
346 dst=self.tra_if.local_ip4) /
349 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
350 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
352 # move VPP's SA to just before the seq-number wrap
353 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
355 # then fire in a packet that VPP should drop because it causes the
356 # seq number to wrap unless we're using extended.
357 pkt = (Ether(src=self.tra_if.remote_mac,
358 dst=self.tra_if.local_mac) /
359 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
360 dst=self.tra_if.local_ip4) /
365 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
366 # in order to decrpyt the high order number needs to wrap
367 p.vpp_tra_sa.seq_num = 0x100000000
368 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
370 # send packets with high bits set
371 p.scapy_tra_sa.seq_num = 0x100000005
372 pkt = (Ether(src=self.tra_if.remote_mac,
373 dst=self.tra_if.local_mac) /
374 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
375 dst=self.tra_if.local_ip4) /
377 seq_num=0x100000005))
378 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
379 # in order to decrpyt the high order number needs to wrap
380 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
382 self.send_and_assert_no_replies(self.tra_if, [pkt])
383 self.assert_packet_counter_equal(
384 '/err/%s/sequence number cycled' %
385 self.tra4_encrypt_node_name, 1)
387 # move the security-associations seq number on to the last we used
388 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
389 p.scapy_tra_sa.seq_num = 351
390 p.vpp_tra_sa.seq_num = 351
392 def verify_tra_basic4(self, count=1):
393 """ ipsec v4 transport basic test """
394 self.vapi.cli("clear errors")
396 p = self.params[socket.AF_INET]
397 send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
398 src=self.tra_if.remote_ip4,
399 dst=self.tra_if.local_ip4,
401 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
405 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
406 self.assert_packet_checksums_valid(decrypted)
408 self.logger.debug(ppp("Unexpected packet:", rx))
411 self.logger.info(self.vapi.ppcli("show error"))
412 self.logger.info(self.vapi.ppcli("show ipsec"))
414 pkts = p.tra_sa_in.get_stats()['packets']
415 self.assertEqual(pkts, count,
416 "incorrect SA in counts: expected %d != %d" %
418 pkts = p.tra_sa_out.get_stats()['packets']
419 self.assertEqual(pkts, count,
420 "incorrect SA out counts: expected %d != %d" %
423 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
424 self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
427 class IpsecTra4Tests(IpsecTra4):
428 """ UT test methods for Transport v4 """
429 def test_tra_anti_replay(self):
430 """ ipsec v4 transport anti-reply test """
431 self.verify_tra_anti_replay(count=1)
433 def test_tra_basic(self, count=1):
434 """ ipsec v4 transport basic test """
435 self.verify_tra_basic4(count=1)
437 def test_tra_burst(self):
438 """ ipsec v4 transport burst test """
439 self.verify_tra_basic4(count=257)
442 class IpsecTra6(object):
443 """ verify methods for Transport v6 """
444 def verify_tra_basic6(self, count=1):
445 self.vapi.cli("clear errors")
447 p = self.params[socket.AF_INET6]
448 send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
449 src=self.tra_if.remote_ip6,
450 dst=self.tra_if.local_ip6,
452 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
456 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
457 self.assert_packet_checksums_valid(decrypted)
459 self.logger.debug(ppp("Unexpected packet:", rx))
462 self.logger.info(self.vapi.ppcli("show error"))
463 self.logger.info(self.vapi.ppcli("show ipsec"))
465 pkts = p.tra_sa_in.get_stats()['packets']
466 self.assertEqual(pkts, count,
467 "incorrect SA in counts: expected %d != %d" %
469 pkts = p.tra_sa_out.get_stats()['packets']
470 self.assertEqual(pkts, count,
471 "incorrect SA out counts: expected %d != %d" %
473 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
474 self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
477 class IpsecTra6Tests(IpsecTra6):
478 """ UT test methods for Transport v6 """
479 def test_tra_basic6(self):
480 """ ipsec v6 transport basic test """
481 self.verify_tra_basic6(count=1)
483 def test_tra_burst6(self):
484 """ ipsec v6 transport burst test """
485 self.verify_tra_basic6(count=257)
488 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
489 """ UT test methods for Transport v6 and v4"""
493 class IpsecTun4(object):
494 """ verify methods for Tunnel v4 """
495 def verify_counters(self, p, count):
496 if (hasattr(p, "spd_policy_in_any")):
497 pkts = p.spd_policy_in_any.get_stats()['packets']
498 self.assertEqual(pkts, count,
499 "incorrect SPD any policy: expected %d != %d" %
502 if (hasattr(p, "tun_sa_in")):
503 pkts = p.tun_sa_in.get_stats()['packets']
504 self.assertEqual(pkts, count,
505 "incorrect SA in counts: expected %d != %d" %
507 pkts = p.tun_sa_out.get_stats()['packets']
508 self.assertEqual(pkts, count,
509 "incorrect SA out counts: expected %d != %d" %
512 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, count)
513 self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
515 def verify_decrypted(self, p, rxs):
517 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
518 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
519 self.assert_packet_checksums_valid(rx)
521 def verify_encrypted(self, p, sa, rxs):
525 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
526 if not decrypt_pkt.haslayer(IP):
527 decrypt_pkt = IP(decrypt_pkt[Raw].load)
528 decrypt_pkts.append(decrypt_pkt)
529 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
530 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
532 self.logger.debug(ppp("Unexpected packet:", rx))
534 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
538 pkts = reassemble4(decrypt_pkts)
540 self.assert_packet_checksums_valid(pkt)
542 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
543 self.vapi.cli("clear errors")
547 config_tun_params(p, self.encryption_type, self.tun_if)
548 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
549 src=p.remote_tun_if_host,
550 dst=self.pg1.remote_ip4,
552 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
553 self.verify_decrypted(p, recv_pkts)
555 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
556 dst=p.remote_tun_if_host, count=count,
557 payload_size=payload_size)
558 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
560 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
563 self.logger.info(self.vapi.ppcli("show error"))
564 self.logger.info(self.vapi.ppcli("show ipsec"))
566 self.verify_counters(p, count)
568 def verify_tun_64(self, p, count=1):
569 self.vapi.cli("clear errors")
571 config_tun_params(p, self.encryption_type, self.tun_if)
572 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
573 src=p.remote_tun_if_host6,
574 dst=self.pg1.remote_ip6,
576 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
577 for recv_pkt in recv_pkts:
578 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
579 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
580 self.assert_packet_checksums_valid(recv_pkt)
581 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
582 dst=p.remote_tun_if_host6, count=count)
583 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
584 for recv_pkt in recv_pkts:
586 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
587 if not decrypt_pkt.haslayer(IPv6):
588 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
589 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
590 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
591 self.assert_packet_checksums_valid(decrypt_pkt)
593 self.logger.error(ppp("Unexpected packet:", recv_pkt))
596 ppp("Decrypted packet:", decrypt_pkt))
601 self.logger.info(self.vapi.ppcli("show error"))
602 self.logger.info(self.vapi.ppcli("show ipsec"))
604 self.verify_counters(p, count)
607 class IpsecTun4Tests(IpsecTun4):
608 """ UT test methods for Tunnel v4 """
609 def test_tun_basic44(self):
610 """ ipsec 4o4 tunnel basic test """
611 self.verify_tun_44(self.params[socket.AF_INET], count=1)
613 def test_tun_burst44(self):
614 """ ipsec 4o4 tunnel burst test """
615 self.verify_tun_44(self.params[socket.AF_INET], count=257)
618 class IpsecTun6(object):
619 """ verify methods for Tunnel v6 """
620 def verify_counters(self, p, count):
621 if (hasattr(p, "tun_sa_in")):
622 pkts = p.tun_sa_in.get_stats()['packets']
623 self.assertEqual(pkts, count,
624 "incorrect SA in counts: expected %d != %d" %
626 pkts = p.tun_sa_out.get_stats()['packets']
627 self.assertEqual(pkts, count,
628 "incorrect SA out counts: expected %d != %d" %
630 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
631 self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
633 def verify_tun_66(self, p, count=1):
634 """ ipsec 6o6 tunnel basic test """
635 self.vapi.cli("clear errors")
637 config_tun_params(p, self.encryption_type, self.tun_if)
638 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
639 src=p.remote_tun_if_host,
640 dst=self.pg1.remote_ip6,
642 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
643 for recv_pkt in recv_pkts:
644 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host)
645 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
646 self.assert_packet_checksums_valid(recv_pkt)
647 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
648 dst=p.remote_tun_if_host,
650 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
651 for recv_pkt in recv_pkts:
653 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
654 if not decrypt_pkt.haslayer(IPv6):
655 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
656 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
657 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
658 self.assert_packet_checksums_valid(decrypt_pkt)
660 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
663 ppp("Decrypted packet:", decrypt_pkt))
668 self.logger.info(self.vapi.ppcli("show error"))
669 self.logger.info(self.vapi.ppcli("show ipsec"))
670 self.verify_counters(p, count)
672 def verify_tun_46(self, p, count=1):
673 """ ipsec 4o6 tunnel basic test """
674 self.vapi.cli("clear errors")
676 config_tun_params(p, self.encryption_type, self.tun_if)
677 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
678 src=p.remote_tun_if_host4,
679 dst=self.pg1.remote_ip4,
681 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
682 for recv_pkt in recv_pkts:
683 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
684 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
685 self.assert_packet_checksums_valid(recv_pkt)
686 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
687 dst=p.remote_tun_if_host4,
689 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
690 for recv_pkt in recv_pkts:
692 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
693 if not decrypt_pkt.haslayer(IP):
694 decrypt_pkt = IP(decrypt_pkt[Raw].load)
695 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
696 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
697 self.assert_packet_checksums_valid(decrypt_pkt)
699 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
701 self.logger.debug(ppp("Decrypted packet:",
707 self.logger.info(self.vapi.ppcli("show error"))
708 self.logger.info(self.vapi.ppcli("show ipsec"))
709 self.verify_counters(p, count)
712 class IpsecTun6Tests(IpsecTun6):
713 """ UT test methods for Tunnel v6 """
715 def test_tun_basic66(self):
716 """ ipsec 6o6 tunnel basic test """
717 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
719 def test_tun_burst66(self):
720 """ ipsec 6o6 tunnel burst test """
721 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
724 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
725 """ UT test methods for Tunnel v6 & v4 """
729 if __name__ == '__main__':
730 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob