diff options
author | Jan Gelety <jgelety@cisco.com> | 2016-08-22 17:21:46 +0200 |
---|---|---|
committer | Miroslav Miklus <mmiklus@cisco.com> | 2016-08-25 13:37:59 +0000 |
commit | 679e08c0be3165b2cde48ba1efd8313c66a6bd0c (patch) | |
tree | 0ce14384167603b3a38463952ca0e37e19aa71bd | |
parent | 25ca352e3837ea00c895891f343898b76996c432 (diff) |
CSIT-28: IPSEC basic conectivity test - IPv4
- use all supported encryption and integrity algorithms in tunnel mode
and in transport mode
Change-Id: I2ae395d88d514b2ca3f62ab9aecbb27d8fb827b0
Signed-off-by: Jan Gelety <jgelety@cisco.com>
-rwxr-xr-x | bootstrap.sh | 2 | ||||
-rw-r--r-- | resources/libraries/python/IPsecUtil.py | 2 | ||||
-rw-r--r-- | tests/func/ipsec/ipsec_ipv4.robot | 81 | ||||
-rw-r--r-- | tests/func/ipsec/ipsec_transport_mode_ipv4.robot | 269 | ||||
-rw-r--r-- | tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot | 290 |
5 files changed, 561 insertions, 83 deletions
diff --git a/bootstrap.sh b/bootstrap.sh index ea0b8efd83..84bebb1761 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -202,7 +202,7 @@ if [ "$?" -ne "0" ]; then echo "However, the tests will start." fi -PYTHONPATH=`pwd` pybot -L TRACE -W 150 \ +PYTHONPATH=`pwd` pybot -L TRACE -W 145\ -v TOPOLOGY_PATH:${SCRIPT_DIR}/topologies/enabled/topology.yaml \ --suite "tests.func" \ --include vm_envAND3_node_single_link_topo \ diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index 2cb8e2646b..6cbd48fba3 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -311,7 +311,7 @@ class IPsecUtil(object): :type sa_id: int :type laddr_range: string :type raddr_range: string - :type proto: intPolicyAction + :type proto: int :type lport_range: string :type rport_range: string """ diff --git a/tests/func/ipsec/ipsec_ipv4.robot b/tests/func/ipsec/ipsec_ipv4.robot deleted file mode 100644 index c1f5fd754f..0000000000 --- a/tests/func/ipsec/ipsec_ipv4.robot +++ /dev/null @@ -1,81 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Resource | resources/libraries/robot/ipsec.robot -| Library | resources.libraries.python.Trace -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO -| ... | VM_ENV | HW_ENV -| Test Setup | Run Keywords | Setup all DUTs before test -| ... | AND | Setup all TGs before traffic script -| ... | AND | Setup Topology for IPv4 IPsec testing -| Test Teardown | Run Keywords | VPP IPsec Show | ${dut_node} -| ... | AND | Show Packet Trace on All DUTs | ${nodes} -| ... | AND | Show vpp trace dump on all DUTs -| Documentation | *IPv4 IPsec test suite.* -| ... -| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ -| ... | between nodes. -| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ -| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ -| ... | and IPsec manual keyed connection. -| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ -| ... | is received on TG from DUT1. -| ... | *[Ref] Applicable standard specifications:* RFC4303. - -*** Variables *** -| ${tg_spi}= | ${1000} -| ${dut_spi}= | ${1001} -| ${ESP_PROTO}= | ${50} -| ${tg_if_ip4}= | 192.168.100.2 -| ${dut_if_ip4}= | 192.168.100.3 -| ${tg_lo_ip4}= | 192.168.3.3 -| ${dut_lo_ip4}= | 192.168.4.4 -| ${ip4_plen}= | ${24} - -*** Test Cases *** -| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC encrytion and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with AES-CBC\ -| | ... | encrytion and SHA1-96 integrity in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} -| | When VPP Setup IPsec Manual Keyed Connection -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC02: VPP process ESP packet in Transport Mode with AES-CBC encrytion and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with AES-CBC\ -| | ... | encrytion and SHA1-96 integrity in transport mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} -| | When VPP Setup IPsec Manual Keyed Connection -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot new file mode 100644 index 0000000000..018447fe2d --- /dev/null +++ b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot @@ -0,0 +1,269 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV +| Test Setup | Run Keywords | Setup all DUTs before test +| ... | AND | Setup all TGs before traffic script +| ... | AND | Setup Topology for IPv4 IPsec testing +| Test Teardown | Run Keywords | VPP IPsec Show | ${dut_node} +| ... | AND | Show Packet Trace on All DUTs | ${nodes} +| ... | AND | Show vpp trace dump on all DUTs +| Documentation | *IPv4 IPsec transport mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ +| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ +| ... | and IPsec manual keyed connection in transport mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot new file mode 100644 index 0000000000..3491b85ce5 --- /dev/null +++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot @@ -0,0 +1,290 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV +| Test Setup | Run Keywords | Setup all DUTs before test +| ... | AND | Setup all TGs before traffic script +| ... | AND | Setup Topology for IPv4 IPsec testing +| Test Teardown | Run Keywords | VPP IPsec Show | ${dut_node} +| ... | AND | Show Packet Trace on All DUTs | ${nodes} +| ... | AND | Show vpp trace dump on all DUTs +| Documentation | *IPv4 IPsec tunnel mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ +| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ +| ... | and IPsec manual keyed connection in tunnel mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send and Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} |