diff options
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 3 | ||||
-rw-r--r-- | test/test_ipsec_nat.py | 48 |
2 files changed, 24 insertions, 27 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 0ce5e54aaeb..5f633011491 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -393,7 +393,8 @@ esp_encrypt_node_fn (vlib_main_t * vm, if (sa0->udp_encap) { ouh0->udp.length = - clib_host_to_net_u16 (oh0->ip4.length - + clib_host_to_net_u16 (clib_net_to_host_u16 + (oh0->ip4.length) - ip4_header_bytes (&oh0->ip4)); } } diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py index 6d9dc109add..9e0b9ea912e 100644 --- a/test/test_ipsec_nat.py +++ b/test/test_ipsec_nat.py @@ -11,13 +11,6 @@ from template_ipsec import TemplateIpsec class IPSecNATTestCase(TemplateIpsec): """ IPSec/NAT - - TRANSPORT MODE: - - --- encrypt --- - |pg2| <-------> |VPP| - --- decrypt --- - TUNNEL MODE: @@ -31,20 +24,21 @@ class IPSecNATTestCase(TemplateIpsec): --- --- --- """ + tcp_port_in = 6303 + tcp_port_out = 6303 + udp_port_in = 6304 + udp_port_out = 6304 + icmp_id_in = 6305 + icmp_id_out = 6305 + @classmethod def setUpClass(cls): super(IPSecNATTestCase, cls).setUpClass() - cls.tcp_port_in = 6303 - cls.tcp_port_out = 6303 - cls.udp_port_in = 6304 - cls.udp_port_out = 6304 - cls.icmp_id_in = 6305 - cls.icmp_id_out = 6305 cls.tun_if = cls.pg0 cls.config_esp_tun() cls.logger.info(cls.vapi.ppcli("show ipsec")) client = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) - cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n) + cls.vapi.ip_add_del_route(client, 32, cls.tun_if.remote_ip4n) def create_stream_plain(self, src_mac, dst_mac, src_ip, dst_ip): return [ @@ -113,18 +107,19 @@ class IPSecNATTestCase(TemplateIpsec): def verify_capture_encrypted(self, capture, sa): for packet in capture: try: + copy = packet.__class__(str(packet)) + del copy[UDP].len + copy = packet.__class__(str(copy)) + self.assert_equal(packet[UDP].len, copy[UDP].len, + "UDP header length") + self.assert_packet_checksums_valid(packet) self.assertIn(ESP, packet[IP]) decrypt_pkt = sa.decrypt(packet[IP]) + self.assert_packet_checksums_valid(decrypt_pkt) self.assert_equal(decrypt_pkt[IP].src, self.pg1.remote_ip4, "encrypted packet source address") self.assert_equal(decrypt_pkt[IP].dst, self.tun_if.remote_ip4, "encrypted packet destination address") - # if decrypt_pkt.haslayer(TCP): - # self.tcp_port_out = decrypt_pkt[TCP].sport - # elif decrypt_pkt.haslayer(UDP): - # self.udp_port_out = decrypt_pkt[UDP].sport - # else: - # self.icmp_id_out = decrypt_pkt[ICMP].id except Exception: self.logger.error( ppp("Unexpected or invalid encrypted packet:", packet)) @@ -138,14 +133,16 @@ class IPSecNATTestCase(TemplateIpsec): cls.crypt_algo_vpp_id, cls.crypt_key, cls.vpp_esp_protocol, cls.pg1.remote_ip4n, - cls.tun_if.remote_ip4n) + cls.tun_if.remote_ip4n, + udp_encap=1) cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, cls.vpp_tun_spi, cls.auth_algo_vpp_id, cls.auth_key, cls.crypt_algo_vpp_id, cls.crypt_key, cls.vpp_esp_protocol, cls.tun_if.remote_ip4n, - cls.pg1.remote_ip4n) + cls.pg1.remote_ip4n, + udp_encap=1) cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, cls.tun_if.sw_if_index) @@ -153,7 +150,7 @@ class IPSecNATTestCase(TemplateIpsec): "0.0.0.0") l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, l_startaddr, l_stopaddr, r_startaddr, r_stopaddr, protocol=socket.IPPROTO_ESP) @@ -161,7 +158,7 @@ class IPSecNATTestCase(TemplateIpsec): l_startaddr, l_stopaddr, r_startaddr, r_stopaddr, is_outbound=0, protocol=socket.IPPROTO_ESP) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, l_startaddr, l_stopaddr, r_startaddr, r_stopaddr, remote_port_start=4500, remote_port_stop=4500, @@ -184,8 +181,7 @@ class IPSecNATTestCase(TemplateIpsec): def test_ipsec_nat_tun(self): """ IPSec/NAT tunnel test case """ - scapy_tun_sa = SecurityAssociation(ESP, - spi=self.scapy_tun_spi, + scapy_tun_sa = SecurityAssociation(ESP, spi=self.scapy_tun_spi, crypt_algo=self.crypt_algo, crypt_key=self.crypt_key, auth_algo=self.auth_algo, |