1 AT_BANNER([ovs-monitor-ipsec])
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
6 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
7 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
9 trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0
11 mkdir etc etc/init.d etc/racoon etc/racoon/certs
14 AT_DATA([etc/init.d/racoon], [dnl
19 chmod +x etc/init.d/racoon
21 AT_DATA([usr/sbin/setkey], [dnl
29 chmod +x usr/sbin/setkey
31 touch etc/racoon/certs/ovs-stale.pem
34 ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
36 trim () { # Removes blank lines and lines starting with # from input.
37 sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
41 ### Start ovsdb-server.
46 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
49 [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
50 "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
51 unix:socket 2>log 3>actions &])
52 AT_CAPTURE_FILE([log])
53 AT_CAPTURE_FILE([actions])
54 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
57 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
61 -- add-port br0 gre0 \
62 -- set interface gre0 type=ipsec_gre \
63 options:remote_ip=1.2.3.4 \
64 options:psk=swordfish])
65 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
66 AT_CHECK([cat actions], [0], [dnl
74 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
75 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
77 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
79 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
80 path pre_shared_key "/etc/racoon/psk.txt";
81 path certificate "/etc/racoon/certs";
86 encryption_algorithm aes;
88 authentication_method pre_shared_key;
95 encryption_algorithm aes;
96 authentication_algorithm hmac_sha1, hmac_md5;
97 compression_algorithm deflate;
102 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
104 AT_CHECK([ovs_vsctl del-port gre0])
105 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
106 AT_CHECK([sed '1,9d' actions], [0], [dnl
109 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
110 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
116 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118 path pre_shared_key "/etc/racoon/psk.txt";
119 path certificate "/etc/racoon/certs";
122 lifetime time 1 hour;
123 encryption_algorithm aes;
124 authentication_algorithm hmac_sha1, hmac_md5;
125 compression_algorithm deflate;
130 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
132 AT_DATA([cert.pem], [dnl
133 -----BEGIN CERTIFICATE-----
134 (not a real certificate)
135 -----END CERTIFICATE-----
137 AT_DATA([key.pem], [dnl
138 -----BEGIN RSA PRIVATE KEY-----
139 (not a real private key)
140 -----END RSA PRIVATE KEY-----
142 AT_CHECK([ovs_vsctl \
143 -- add-port br0 gre1 \
144 -- set Interface gre1 type=ipsec_gre \
145 options:remote_ip=2.3.4.5 \
146 options:peer_cert='"-----BEGIN CERTIFICATE-----
147 (not a real peer certificate)
148 -----END CERTIFICATE-----
150 options:certificate='"/cert.pem"' \
151 options:private_key='"/key.pem"'])
152 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
153 AT_CHECK([sed '1,17d' actions], [0], [dnl
156 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
157 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
159 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
160 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
161 path pre_shared_key "/etc/racoon/psk.txt";
162 path certificate "/etc/racoon/certs";
167 certificate_type x509 "/cert.pem" "/key.pem";
168 my_identifier asn1dn;
169 peers_identifier asn1dn;
170 peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
171 verify_identifier on;
173 encryption_algorithm aes;
175 authentication_method rsasig;
181 lifetime time 1 hour;
182 encryption_algorithm aes;
183 authentication_algorithm hmac_sha1, hmac_md5;
184 compression_algorithm deflate;
187 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
188 -----BEGIN CERTIFICATE-----
189 (not a real peer certificate)
190 -----END CERTIFICATE-----
194 ### Delete the ipsec_gre certificate interface.
196 AT_CHECK([ovs_vsctl del-port gre1])
197 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
198 AT_CHECK([sed '1,21d' actions], [0], [dnl
201 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
202 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
208 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
209 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
210 path pre_shared_key "/etc/racoon/psk.txt";
211 path certificate "/etc/racoon/certs";
214 lifetime time 1 hour;
215 encryption_algorithm aes;
216 authentication_algorithm hmac_sha1, hmac_md5;
217 compression_algorithm deflate;
220 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
223 ### Add an SSL certificate interface.
225 cp cert.pem ssl-cert.pem
226 cp key.pem ssl-key.pem
227 AT_DATA([ssl-cacert.pem], [dnl
228 -----BEGIN CERTIFICATE-----
229 (not a real CA certificate)
230 -----END CERTIFICATE-----
232 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
233 -- add-port br0 gre2 \
234 -- set Interface gre2 type=ipsec_gre \
235 options:remote_ip=3.4.5.6 \
236 options:peer_cert='"-----BEGIN CERTIFICATE-----
237 (not a real peer certificate)
238 -----END CERTIFICATE-----
240 options:use_ssl_cert='"true"'])
241 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
242 AT_CHECK([sed '1,29d' actions], [0], [dnl
245 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
246 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
248 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
249 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
250 path pre_shared_key "/etc/racoon/psk.txt";
251 path certificate "/etc/racoon/certs";
256 certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
257 my_identifier asn1dn;
258 peers_identifier asn1dn;
259 peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
260 verify_identifier on;
262 encryption_algorithm aes;
264 authentication_method rsasig;
270 lifetime time 1 hour;
271 encryption_algorithm aes;
272 authentication_algorithm hmac_sha1, hmac_md5;
273 compression_algorithm deflate;
276 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
277 -----BEGIN CERTIFICATE-----
278 (not a real peer certificate)
279 -----END CERTIFICATE-----
283 ### Delete the SSL certificate interface.
285 AT_CHECK([ovs_vsctl del-port gre2])
286 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
287 AT_CHECK([sed '1,33d' actions], [0], [dnl
290 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
291 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
297 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
298 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
299 path pre_shared_key "/etc/racoon/psk.txt";
300 path certificate "/etc/racoon/certs";
303 lifetime time 1 hour;
304 encryption_algorithm aes;
305 authentication_algorithm hmac_sha1, hmac_md5;
306 compression_algorithm deflate;
309 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])