1 AT_BANNER([ovs-monitor-ipsec])
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
6 OVS_RUNDIR=`pwd`; export OVS_RUNDIR
7 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
8 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
10 trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0
12 mkdir etc etc/init.d etc/racoon etc/racoon/certs
15 AT_DATA([etc/init.d/racoon], [dnl
20 chmod +x etc/init.d/racoon
22 AT_DATA([usr/sbin/setkey], [dnl
30 chmod +x usr/sbin/setkey
32 touch etc/racoon/certs/ovs-stale.pem
35 ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
37 trim () { # Removes blank lines and lines starting with # from input.
38 sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
42 ### Start ovsdb-server.
47 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
50 [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
51 "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
52 unix:socket 2>log 3>actions &])
53 AT_CAPTURE_FILE([log])
54 AT_CAPTURE_FILE([actions])
55 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
58 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
62 -- add-port br0 gre0 \
63 -- set interface gre0 type=ipsec_gre \
64 options:remote_ip=1.2.3.4 \
65 options:psk=swordfish])
66 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
67 AT_CHECK([cat actions], [0], [dnl
75 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
76 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
78 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
80 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
81 path pre_shared_key "/etc/racoon/psk.txt";
82 path certificate "/etc/racoon/certs";
87 encryption_algorithm aes;
89 authentication_method pre_shared_key;
96 encryption_algorithm aes;
97 authentication_algorithm hmac_sha1, hmac_md5;
98 compression_algorithm deflate;
103 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
105 AT_CHECK([ovs_vsctl del-port gre0])
106 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
107 AT_CHECK([sed '1,9d' actions], [0], [dnl
110 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
111 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
117 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
118 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
119 path pre_shared_key "/etc/racoon/psk.txt";
120 path certificate "/etc/racoon/certs";
123 lifetime time 1 hour;
124 encryption_algorithm aes;
125 authentication_algorithm hmac_sha1, hmac_md5;
126 compression_algorithm deflate;
131 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
133 AT_DATA([cert.pem], [dnl
134 -----BEGIN CERTIFICATE-----
135 (not a real certificate)
136 -----END CERTIFICATE-----
138 AT_DATA([key.pem], [dnl
139 -----BEGIN RSA PRIVATE KEY-----
140 (not a real private key)
141 -----END RSA PRIVATE KEY-----
143 AT_CHECK([ovs_vsctl \
144 -- add-port br0 gre1 \
145 -- set Interface gre1 type=ipsec_gre \
146 options:remote_ip=2.3.4.5 \
147 options:peer_cert='"-----BEGIN CERTIFICATE-----
148 (not a real peer certificate)
149 -----END CERTIFICATE-----
151 options:certificate='"/cert.pem"' \
152 options:private_key='"/key.pem"'])
153 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
154 AT_CHECK([sed '1,17d' actions], [0], [dnl
157 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
158 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
160 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
161 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
162 path pre_shared_key "/etc/racoon/psk.txt";
163 path certificate "/etc/racoon/certs";
168 certificate_type x509 "/cert.pem" "/key.pem";
169 my_identifier asn1dn;
170 peers_identifier asn1dn;
171 peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
172 verify_identifier on;
174 encryption_algorithm aes;
176 authentication_method rsasig;
182 lifetime time 1 hour;
183 encryption_algorithm aes;
184 authentication_algorithm hmac_sha1, hmac_md5;
185 compression_algorithm deflate;
188 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
189 -----BEGIN CERTIFICATE-----
190 (not a real peer certificate)
191 -----END CERTIFICATE-----
195 ### Delete the ipsec_gre certificate interface.
197 AT_CHECK([ovs_vsctl del-port gre1])
198 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
199 AT_CHECK([sed '1,21d' actions], [0], [dnl
202 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
203 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
209 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
210 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
211 path pre_shared_key "/etc/racoon/psk.txt";
212 path certificate "/etc/racoon/certs";
215 lifetime time 1 hour;
216 encryption_algorithm aes;
217 authentication_algorithm hmac_sha1, hmac_md5;
218 compression_algorithm deflate;
221 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
224 ### Add an SSL certificate interface.
226 cp cert.pem ssl-cert.pem
227 cp key.pem ssl-key.pem
228 AT_DATA([ssl-cacert.pem], [dnl
229 -----BEGIN CERTIFICATE-----
230 (not a real CA certificate)
231 -----END CERTIFICATE-----
233 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
234 -- add-port br0 gre2 \
235 -- set Interface gre2 type=ipsec_gre \
236 options:remote_ip=3.4.5.6 \
237 options:peer_cert='"-----BEGIN CERTIFICATE-----
238 (not a real peer certificate)
239 -----END CERTIFICATE-----
241 options:use_ssl_cert='"true"'])
242 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
243 AT_CHECK([sed '1,29d' actions], [0], [dnl
246 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
247 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
249 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
250 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
251 path pre_shared_key "/etc/racoon/psk.txt";
252 path certificate "/etc/racoon/certs";
257 certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
258 my_identifier asn1dn;
259 peers_identifier asn1dn;
260 peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
261 verify_identifier on;
263 encryption_algorithm aes;
265 authentication_method rsasig;
271 lifetime time 1 hour;
272 encryption_algorithm aes;
273 authentication_algorithm hmac_sha1, hmac_md5;
274 compression_algorithm deflate;
277 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
278 -----BEGIN CERTIFICATE-----
279 (not a real peer certificate)
280 -----END CERTIFICATE-----
284 ### Delete the SSL certificate interface.
286 AT_CHECK([ovs_vsctl del-port gre2])
287 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
288 AT_CHECK([sed '1,33d' actions], [0], [dnl
291 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
292 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
298 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
299 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
300 path pre_shared_key "/etc/racoon/psk.txt";
301 path certificate "/etc/racoon/certs";
304 lifetime time 1 hour;
305 encryption_algorithm aes;
306 authentication_algorithm hmac_sha1, hmac_md5;
307 compression_algorithm deflate;
310 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
312 OVSDB_SERVER_SHUTDOWN