diff options
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 7 | ||||
-rw-r--r-- | test/Makefile | 2 | ||||
-rw-r--r-- | test/test_ipsec_ah.py | 325 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 341 | ||||
-rw-r--r-- | test/vpp_papi_provider.py | 162 |
5 files changed, 829 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index e96da8168fa..5fbf86bb7e3 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -192,13 +192,6 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler sa.id = ntohl (mp->sad_id); sa.spi = ntohl (mp->spi); - /* security protocol AH unsupported */ - if (mp->protocol == IPSEC_PROTOCOL_AH) - { - clib_warning ("unsupported security protocol 'AH'"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } sa.protocol = mp->protocol; /* check for unsupported crypto-alg */ if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 || diff --git a/test/Makefile b/test/Makefile index b429ac9e6e2..4f090a15066 100644 --- a/test/Makefile +++ b/test/Makefile @@ -47,7 +47,7 @@ UNITTEST_EXTRA_OPTS=$(UNITTEST_FAILFAST_OPTS) -d $(EXTERN_TESTS) endif PYTHON_VENV_PATH=$(VPP_PYTHON_PREFIX)/virtualenv -PYTHON_DEPENDS=faulthandler six scapy==2.3.3 pexpect subprocess32 cffi git+https://github.com/klement/py-lispnetworking@setup +PYTHON_DEPENDS=faulthandler six scapy==2.3.3 pexpect pycrypto subprocess32 cffi git+https://github.com/klement/py-lispnetworking@setup SCAPY_SOURCE=$(shell find $(PYTHON_VENV_PATH) -name site-packages) BUILD_COV_DIR=$(BR)/test-cov diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py new file mode 100644 index 00000000000..6e732418dbf --- /dev/null +++ b/test/test_ipsec_ah.py @@ -0,0 +1,325 @@ +import socket + +from scapy.layers.inet import IP, ICMP +from scapy.layers.l2 import Ether +from scapy.layers.ipsec import * + +from framework import VppTestCase +from vpp_ip_route import VppIpRoute + +from util import ppp + + +class TestIpsecAh(VppTestCase): + """ + Basic test for IPSEC using AH transport and Tunnel mode + + Below 4 cases are covered as part of this test + 1) ipsec ah v4 transport basic test - IPv4 Transport mode + scenario using HMAC-SHA1-96 intergrity algo + 2) ipsec ah v4 transport burst test + Above test for 257 pkts + 3) ipsec ah 4o4 tunnel basic test - IPv4 Tunnel mode + scenario using HMAC-SHA1-96 intergrity algo + 4) ipsec ah 4o4 tunnel burst test + Above test for 257 pkts + + TRANSPORT MODE: + + --- encrypt --- + |pg2| <-------> |VPP| + --- decrypt --- + + TUNNEL MODE: + + --- encrypt --- plain --- + |pg0| -------> |VPP| ------> |pg1| + --- --- --- + + --- decrypt --- plain --- + |pg0| <------- |VPP| <------ |pg1| + --- --- --- + + Note : IPv6 is not covered + """ + + remote_pg0_lb_addr = '1.1.1.1' + remote_pg1_lb_addr = '2.2.2.2' + + @classmethod + def setUpClass(cls): + super(TestIpsecAh, cls).setUpClass() + try: + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.configAhTra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.configAhTun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + except Exception: + super(TestIpsecAh, cls).tearDownClass() + raise + + @classmethod + def configAhTun(cls): + try: + spd_id = 1 + remote_sa_id = 10 + local_sa_id = 20 + remote_tun_spi = 1001 + local_tun_spi = 1000 + src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) + cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) + dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tun_spi, + cls.pg0.local_ip4n, + cls.pg0.remote_ip4n, + integrity_key_length=20) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tun_spi, + cls.pg0.remote_ip4n, + cls.pg0.local_ip4n, + integrity_key_length=20) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=51) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=51, + is_outbound=0) + l_startaddr = l_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg0_lb_addr) + r_startaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + r_startaddr, + r_stopaddr, + l_startaddr, + l_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise + + @classmethod + def configAhTra(cls): + try: + spd_id = 2 + remote_sa_id = 30 + local_sa_id = 40 + remote_tra_spi = 2001 + local_tra_spi = 2000 + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tra_spi, + integrity_key_length=20, + is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tra_spi, + integrity_key_length=20, + is_tunnel=0) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=51) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=51, + is_outbound=0) + l_startaddr = l_stopaddr = cls.pg2.local_ip4n + r_startaddr = r_stopaddr = cls.pg2.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise + + def configScapySA(self, is_tun=False): + if is_tun: + self.remote_tun_sa = SecurityAssociation( + AH, + spi=0x000003e8, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + src=self.pg0.remote_ip4, + dst=self.pg0.local_ip4)) + self.local_tun_sa = SecurityAssociation( + AH, + spi=0x000003e9, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + dst=self.pg0.remote_ip4, + src=self.pg0.local_ip4)) + else: + self.remote_tra_sa = SecurityAssociation( + AH, spi=0x000007d0, auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + self.local_tra_sa = SecurityAssociation( + AH, spi=0x000007d1, auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + + def tearDown(self): + super(TestIpsecAh, self).tearDown() + if not self.vpp_dead: + self.vapi.cli("show hardware") + + def send_and_expect(self, input, pkts, output, count=1): + input.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + rx = output.get_capture(count) + return rx + + def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") + ] * count + + def gen_pkts(self, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + ] * count + + def test_ipsec_ah_tra_basic(self, count=1): + """ ipsec ah v4 transport basic test """ + try: + self.configScapySA() + send_pkts = self.gen_encrypt_pkts( + self.remote_tra_sa, + self.pg2, + src=self.pg2.remote_ip4, + dst=self.pg2.local_ip4, + count=count) + recv_pkts = self.send_and_expect( + self.pg2, send_pkts, self.pg2, count=count) + # ESP TRA VPP encryption/decryption verification + for Pkts in recv_pkts: + Pkts[AH].padding = Pkts[AH].icv[12:] + Pkts[AH].icv = Pkts[AH].icv[:12] + decrypt_pkt = self.local_tra_sa.decrypt(Pkts[IP]) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tra_burst(self): + """ ipsec ah v4 transport burst test """ + try: + self.test_ipsec_ah_tra_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tun_basic(self, count=1): + """ ipsec ah 4o4 tunnel basic test """ + try: + self.configScapySA(is_tun=True) + send_pkts = self.gen_encrypt_pkts( + self.remote_tun_sa, + self.pg0, + src=self.remote_pg0_lb_addr, + dst=self.remote_pg1_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg0, send_pkts, self.pg1, count=count) + # ESP TUN VPP decryption verification + for recv_pkt in recv_pkts: + self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) + self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) + send_pkts = self.gen_pkts( + self.pg1, + src=self.remote_pg1_lb_addr, + dst=self.remote_pg0_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg1, send_pkts, self.pg0, count=count) + # ESP TUN VPP encryption verification + for recv_pkt in recv_pkts: + recv_pkt[IP] = recv_pkt[IP] / IP(recv_pkt[AH].icv[12:]) + recv_pkt[AH].icv = recv_pkt[AH].icv[:12] + decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP]) + self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) + self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tun_burst(self): + """ ipsec ah 4o4 tunnel burst test """ + try: + self.test_ipsec_ah_tun_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py new file mode 100644 index 00000000000..78f51501f9b --- /dev/null +++ b/test/test_ipsec_esp.py @@ -0,0 +1,341 @@ +import socket + +from scapy.layers.inet import IP, ICMP +from scapy.layers.l2 import Ether +from scapy.layers.ipsec import * + +from framework import VppTestCase +from vpp_ip_route import VppIpRoute + +from util import ppp + + +class TestIpsecEsp(VppTestCase): + """ + Basic test for ipsec esp sanity - tunnel and transport modes. + + Below 4 cases are covered as part of this test + 1) ipsec esp v4 transport basic test - IPv4 Transport mode + scenario using HMAC-SHA1-96 intergrity algo + 2) ipsec esp v4 transport burst test + Above test for 257 pkts + 3) ipsec esp 4o4 tunnel basic test - IPv4 Tunnel mode + scenario using HMAC-SHA1-96 intergrity algo + 4) ipsec esp 4o4 tunnel burst test + Above test for 257 pkts + + TRANSPORT MODE: + + --- encrypt --- + |pg2| <-------> |VPP| + --- decrypt --- + + TUNNEL MODE: + + --- encrypt --- plain --- + |pg0| -------> |VPP| ------> |pg1| + --- --- --- + + --- decrypt --- plain --- + |pg0| <------- |VPP| <------ |pg1| + --- --- --- + + Note : IPv6 is not covered + """ + + remote_pg0_lb_addr = '1.1.1.1' + remote_pg1_lb_addr = '2.2.2.2' + + @classmethod + def setUpClass(cls): + super(TestIpsecEsp, cls).setUpClass() + try: + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.configEspTra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.configEspTun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + except Exception: + super(TestIpsecEsp, cls).tearDownClass() + raise + + @classmethod + def configEspTun(cls): + try: + spd_id = 1 + remote_sa_id = 10 + local_sa_id = 20 + remote_tun_spi = 1001 + local_tun_spi = 1000 + src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) + cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) + dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tun_spi, + cls.pg0.local_ip4n, + cls.pg0.remote_ip4n, + integrity_key_length=20, + crypto_key_length=16, + protocol=1) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tun_spi, + cls.pg0.remote_ip4n, + cls.pg0.local_ip4n, + integrity_key_length=20, + crypto_key_length=16, + protocol=1) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=50) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=50, + is_outbound=0) + l_startaddr = l_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg0_lb_addr) + r_startaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + r_startaddr, + r_stopaddr, + l_startaddr, + l_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise + + @classmethod + def configEspTra(cls): + try: + spd_id = 2 + remote_sa_id = 30 + local_sa_id = 40 + remote_tra_spi = 2001 + local_tra_spi = 2000 + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tra_spi, + integrity_key_length=20, + crypto_key_length=16, + protocol=1, + is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tra_spi, + integrity_key_length=20, + crypto_key_length=16, + protocol=1, + is_tunnel=0) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=50) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=50, + is_outbound=0) + l_startaddr = l_stopaddr = cls.pg2.local_ip4n + r_startaddr = r_stopaddr = cls.pg2.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise + + def configScapySA(self, is_tun=False): + if is_tun: + self.remote_tun_sa = SecurityAssociation( + ESP, + spi=0x000003e8, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + src=self.pg0.remote_ip4, + dst=self.pg0.local_ip4)) + self.local_tun_sa = SecurityAssociation( + ESP, + spi=0x000003e9, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + dst=self.pg0.remote_ip4, + src=self.pg0.local_ip4)) + else: + self.remote_tra_sa = SecurityAssociation( + ESP, + spi=0x000007d0, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + self.local_tra_sa = SecurityAssociation( + ESP, + spi=0x000007d1, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + + def tearDown(self): + super(TestIpsecEsp, self).tearDown() + if not self.vpp_dead: + self.vapi.cli("show hardware") + + def send_and_expect(self, input, pkts, output, count=1): + input.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + rx = output.get_capture(count) + return rx + + def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") + ] * count + + def gen_pkts(self, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + ] * count + + def test_ipsec_esp_tra_basic(self, count=1): + """ ipsec esp v4 transport basic test """ + try: + self.configScapySA() + send_pkts = self.gen_encrypt_pkts( + self.remote_tra_sa, + self.pg2, + src=self.pg2.remote_ip4, + dst=self.pg2.local_ip4, + count=count) + recv_pkts = self.send_and_expect( + self.pg2, send_pkts, self.pg2, count=count) + # ESP TRA VPP encryption/decryption verification + for Pkts in recv_pkts: + decrypt_pkt = self.local_tra_sa.decrypt(Pkts[IP]) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tra_burst(self): + """ ipsec esp v4 transport burst test """ + try: + self.test_ipsec_esp_tra_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tun_basic(self, count=1): + """ ipsec esp 4o4 tunnel basic test """ + try: + self.configScapySA(is_tun=True) + send_pkts = self.gen_encrypt_pkts( + self.remote_tun_sa, + self.pg0, + src=self.remote_pg0_lb_addr, + dst=self.remote_pg1_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg0, send_pkts, self.pg1, count=count) + # ESP TUN VPP decryption verification + for recv_pkt in recv_pkts: + self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) + self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) + send_pkts = self.gen_pkts( + self.pg1, + src=self.remote_pg1_lb_addr, + dst=self.remote_pg0_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg1, send_pkts, self.pg0, count=count) + # ESP TUN VPP encryption verification + for recv_pkt in recv_pkts: + decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP]) + self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) + self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tun_burst(self): + """ ipsec esp 4o4 tunnel burst test """ + try: + self.test_ipsec_esp_tun_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index c8954f842b4..338ca27eaa1 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -2811,3 +2811,165 @@ class VppPapiProvider(object): return self.api( self.papi.session_enable_disable, {'is_enable': is_enabled}) + + def ipsec_spd_add_del(self, spd_id, is_add=1): + """ SPD add/del - Wrapper to add or del ipsec SPD + Sample CLI : 'ipsec spd add 1' + + :param spd_id - SPD ID to be created in the vpp . mandatory + :param is_add - create (1) or delete(0) SPD (Default 1 - add) . + optional + :returns: reply from the API + """ + return self.api( + self.papi.ipsec_spd_add_del, { + 'spd_id': spd_id, 'is_add': is_add}) + + def ipsec_interface_add_del_spd(self, spd_id, sw_if_index, is_add=1): + """ IPSEC interface SPD add/del - \ + Wrapper to associate/disassociate SPD to interface in VPP + Sample CLI : 'set interface ipsec spd GigabitEthernet0/6/0 1' + + :param spd_id - SPD ID to associate with the interface . mandatory + :param sw_if_index - Interface Index which needs to ipsec \ + association mandatory + :param is_add - add(1) or del(0) association with interface \ + (Default 1 - add) . optional + :returns: reply from the API + """ + return self.api( + self.papi.ipsec_interface_add_del_spd, { + 'spd_id': spd_id, + 'sw_if_index': sw_if_index, 'is_add': is_add}) + + def ipsec_sad_add_del_entry(self, + sad_id, + spi, + tunnel_src_address='', + tunnel_dst_address='', + protocol=0, + integrity_algorithm=2, + integrity_key_length=0, + integrity_key='C91KUR9GYMm5GfkEvNjX', + crypto_algorithm=1, + crypto_key_length=0, + crypto_key='JPjyOWBeVEQiMe7h', + is_add=1, + is_tunnel=1): + """ IPSEC SA add/del + Sample CLI : 'ipsec sa add 10 spi 1001 esp \ + crypto-key 4a506a794f574265564551694d653768 \ + crypto-alg aes-cbc-128 \ + integ-key 4339314b55523947594d6d3547666b45764e6a58 \ + integ-alg sha1-96 tunnel-src 192.168.100.3 \ + tunnel-dst 192.168.100.2' + Sample CLI : 'ipsec sa add 20 spi 2001 \ + integ-key 4339314b55523947594d6d3547666b45764e6a58 \ + integ-alg sha1-96' + + :param sad_id - Security Association ID to be \ + created or deleted. mandatory + :param spi - security param index of the SA in decimal. mandatory + :param tunnel_src_address - incase of tunnel mode outer src address .\ + mandatory for tunnel mode + :param tunnel_dst_address - incase of transport mode \ + outer dst address. mandatory for tunnel mode + :param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional + :param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\ + optional ** + :param integrity_key - value in string \ + (Default C91KUR9GYMm5GfkEvNjX).optional + :param integrity_key_length - length of the key string in bytes\ + (Default 0 - integrity disabled). optional + :param crypto_algorithm - value range 1-11 Default \ + (1- AES_CBC_128).optional ** + :param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional + :param crypto_key_length - length of the key string in bytes\ + (Default 0 - crypto disabled). optional + :param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\ + optional + :param is_tunnel - tunnel mode (1) or transport mode(0) \ + (Default 1 - tunnel). optional + :returns: reply from the API + :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of + crypto and ipsec algorithms + """ + return self.api( + self.papi.ipsec_sad_add_del_entry, + {'sad_id': sad_id, + 'spi': spi, + 'tunnel_src_address': tunnel_src_address, + 'tunnel_dst_address': tunnel_dst_address, + 'protocol': protocol, + 'integrity_algorithm': integrity_algorithm, + 'integrity_key_length': integrity_key_length, + 'integrity_key': integrity_key, + 'crypto_algorithm': crypto_algorithm, + 'crypto_key_length': crypto_key_length, + 'crypto_key': crypto_key, + 'is_add': is_add, + 'is_tunnel': is_tunnel}) + + def ipsec_spd_add_del_entry(self, + spd_id, + local_address_start, + local_address_stop, + remote_address_start, + remote_address_stop, + local_port_start=0, + local_port_stop=65535, + remote_port_start=0, + remote_port_stop=65535, + protocol=0, + sa_id=10, + policy=0, + priority=100, + is_outbound=1, + is_add=1, + is_ip_any=0): + """ IPSEC policy SPD add/del - + Wrapper to configure ipsec SPD policy entries in VPP + Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \ + protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \ + remote-ip-range 192.168.3.3 - 192.168.3.3' + + :param spd_id - SPD ID for the policy . mandatory + :param local_address_start - local-ip-range start address . mandatory + :param local_address_stop - local-ip-range stop address . mandatory + :param remote_address_start - remote-ip-range start address . mandatory + :param remote_address_stop - remote-ip-range stop address . mandatory + :param local_port_start - (Default 0) . optional + :param local_port_stop - (Default 65535). optional + :param remote_port_start - (Default 0). optional + :param remote_port_stop - (Default 65535). optional + :param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any). + optional + :param sa_id - Security Association ID for mapping it to SPD + (default 10). optional + :param policy - bypass(0), discard(1), resolve(2) or protect(3)action + (Default 0 - bypass). optional + :param priotity - value for the spd action (Default 100). optional + :param is_outbound - flag for inbound(0) or outbound(1) + (Default 1 - outbound). optional + :param is_add flag - for addition(1) or deletion(0) of the spd + (Default 1 - addtion). optional + :returns: reply from the API + """ + return self.api( + self.papi.ipsec_spd_add_del_entry, + {'spd_id': spd_id, + 'local_address_start': local_address_start, + 'local_address_stop': local_address_stop, + 'remote_address_start': remote_address_start, + 'remote_address_stop': remote_address_stop, + 'local_port_start': local_port_start, + 'local_port_stop': local_port_stop, + 'remote_port_start': remote_port_start, + 'remote_port_stop': remote_port_stop, + 'is_add': is_add, + 'protocol': protocol, + 'policy': policy, + 'priority': priority, + 'is_outbound': is_outbound, + 'sa_id': sa_id, + 'is_ip_any': is_ip_any}) |