[ovs-dev] [PATCH v2 4/5] ipsec: Introduce IPsec system tests for Libreswan
Flavio Leitner
fbl at sysclose.org
Wed Mar 31 20:37:19 UTC 2021
On Wed, Mar 31, 2021 at 04:05:08AM -0400, Mark Gray wrote:
> This patch adds system tests for OVS IPsec using Libreswan.
> If Libreswan is not present on the system, the tests will
> be skipped.
>
> These tests set up an underlay switch with bridge 'br0'
> to carry encrypted traffic between two emulated "nodes".
> Each "node" is a seperate network namespace ('left' and
> 'right') and runs an instance of the Libreswan "pluto"
> daemon, ovs-monitor-ipsec, ovs-vswitch and ovsdb-server.
>
> Each test sets up IPsec between the two emulated "nodes"
> using various configurations (currently tunnel
> type, IPv6/IPv6, authentication method, local_ip). After
> configuration, connectivity between the two nodes is
> tested and the underlay traffic is also inspected to
> ensure the traffic is encrypted.
>
> All IPsec system tests can be run by using the ipsec
> keyword:
>
> sudo make check-kernel TESTSUITEFLAGS='-k ipsec'
>
> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
> ---
> v2: removed sleep, addressed libreswan path length bug, move
> geneve comment
>
> tests/automake.mk | 3 +-
> tests/system-ipsec.at | 400 +++++++++++++++++++++++++++++++++
> tests/system-kmod-testsuite.at | 1 +
> 3 files changed, 403 insertions(+), 1 deletion(-)
> create mode 100644 tests/system-ipsec.at
>
> diff --git a/tests/automake.mk b/tests/automake.mk
> index 44a65849ccac..1a528aa394ff 100644
> --- a/tests/automake.mk
> +++ b/tests/automake.mk
> @@ -173,6 +173,7 @@ SYSTEM_TESTSUITE_AT = \
> tests/system-common-macros.at \
> tests/system-layer3-tunnels.at \
> tests/system-traffic.at \
> + tests/system-ipsec.at \
> tests/system-interface.at
>
> SYSTEM_OFFLOADS_TESTSUITE_AT = \
> @@ -200,7 +201,7 @@ SYSTEM_DPDK_TESTSUITE = $(srcdir)/tests/system-dpdk-testsuite
> OVSDB_CLUSTER_TESTSUITE = $(srcdir)/tests/ovsdb-cluster-testsuite
> DISTCLEANFILES += tests/atconfig tests/atlocal
>
> -AUTOTEST_PATH = utilities:vswitchd:ovsdb:vtep:tests:$(PTHREAD_WIN32_DIR_DLL):$(SSL_DIR)
> +AUTOTEST_PATH = utilities:vswitchd:ovsdb:vtep:tests:ipsec:$(PTHREAD_WIN32_DIR_DLL):$(SSL_DIR)
>
> check-local:
> set $(SHELL) '$(TESTSUITE)' -C tests AUTOTEST_PATH=$(AUTOTEST_PATH); \
> diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at
> new file mode 100644
> index 000000000000..7dc0f9228f95
> --- /dev/null
> +++ b/tests/system-ipsec.at
> @@ -0,0 +1,400 @@
> +AT_BANNER(IPsec)
> +
> +dnl IPSEC_SETUP_UNDERLAY()
> +dnl
> +dnl Configure anything required in the underlay network
> +m4_define([IPSEC_SETUP_UNDERLAY],
> + [AT_CHECK([cp ${abs_top_srcdir}/vswitchd/vswitch.ovsschema vswitch.ovsschema])
> + dnl Set up the underlay switch
> + AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])])
> +
> +dnl IPSEC_ADD_NODE([namespace], [device], [address], [peer address]))
> +dnl
> +dnl Creates a dummy host that acts as an IPsec endpoint. Creates host in
> +dnl 'namespace' and attaches a veth 'device' to 'namespace' to act as the host
> +dnl NIC. Assigns 'address' to 'device' and adds the other end of veth 'device' to
> +dnl 'br0' which is an OVS bridge in the default namespace acting as an underlay
> +dnl switch. Sets the default gateway of 'namespace' to 'peer address'.
> +dnl
> +dnl Starts all daemons in 'namespace' that are required for IPsec
> +m4_define([IPSEC_ADD_NODE],
> + [ADD_NAMESPACES($1)
> + dnl Disable DAD. We know we wont get duplicates on this underlay network.
> + NS_EXEC([$1], [sysctl -w net.ipv6.conf.all.accept_dad=0])
> + NS_EXEC([$1], [sysctl -w net.ipv6.conf.default.accept_dad=0])
> + ADD_VETH($2, $1, br0, $3/24)
> + NS_EXEC([$1], [ip route add default via $4 dev $2])
> + mkdir -p $ovs_base/$1
> + touch $ovs_base/$1/.conf.db.~lock~
> + NS_EXEC([$1], [ovsdb-tool create $ovs_base/$1/conf.db \
> + $abs_top_srcdir/vswitchd/vswitch.ovsschema], [0], [], [stderr])
> +
> + dnl Start ovsdb-server.
> + NS_EXEC([$1],[ovsdb-server $ovs_base/$1/conf.db --detach --no-chdir \
> + --log-file=$ovs_base/$1/ovsdb.log --pidfile=$ovs_base/$1/ovsdb.pid \
> + --remote=punix:$OVS_RUNDIR/$1/db.sock], [0], [], [stderr])
> + on_exit "kill `cat $ovs_base/$1/ovsdb.pid`"
> + NS_EXEC([$1], [ovs-vsctl --no-wait init])
> +
> + dnl Start ovs-vswitchd.
> + NS_EXEC([$1], [ovs-vswitchd unix:${OVS_RUNDIR}/$1/db.sock --detach \
> + --no-chdir --pidfile=$ovs_base/$1/vswitchd.pid \
> + --unixctl=$ovs_base/$1/vswitchd.ctl \
> + --log-file=$ovs_base/$1/vswitchd.log -vvconn -vofproto_dpif -vunixctl],\
> + [0], [], [stderr])
> + on_exit "kill_ovs_vswitchd `cat $ovs_base/$1/vswitchd.pid`"
> +
> + dnl Start pluto
> + mkdir -p $ovs_base/$1/ipsec.d
> + touch $ovs_base/$1/ipsec.conf
> + touch $ovs_base/$1/secrets
> + ipsec initnss --nssdir $ovs_base/$1/ipsec.d
> + NS_CHECK_EXEC([$1], [ipsec pluto --config $ovs_base/$1/ipsec.conf \
> + --ipsecdir $ovs_base/$1 --nssdir $ovs_base/$1/ipsec.d \
> + --logfile $ovs_base/$1/pluto.log --secretsfile $ovs_base/$1/secrets \
> + --rundir $ovs_base/$1], [0], [], [stderr])
> + on_exit "kill `cat $ovs_base/$1/pluto.pid`"
> +
> + dnl Start ovs-monitor-ipsec
> + NS_CHECK_EXEC([$1], [ovs-monitor-ipsec unix:${OVS_RUNDIR}/$1/db.sock\
> + --pidfile=${OVS_RUNDIR}/$1/ovs-monitor-ipsec.pid --ike-daemon=libreswan\
> + --ipsec-conf=$ovs_base/$1/ipsec.conf --ipsec-d=$ovs_base/$1/ipsec.d \
> + --ipsec-secrets=$ovs_base/$1/secrets \
> + --log-file=$ovs_base/$1/ovs-monitor-ipsec.log \
> + --ipsec-ctl=$ovs_base/$1/pluto.ctl \
> + --no-restart-ike-daemon --detach ], [0], [], [stderr])
> + on_exit "kill `cat $ovs_base/$1/ovs-monitor-ipsec.pid`"
> +
> + dnl Set up OVS bridge
> + NS_EXEC([$1], [ovs-vsctl --db unix:$ovs_base/$1/db.sock add-br br-ipsec])]
> +)
> +m4_define([IPSEC_ADD_NODE_LEFT], [IPSEC_ADD_NODE(left, p0, $1, $2)])
> +m4_define([IPSEC_ADD_NODE_RIGHT], [IPSEC_ADD_NODE(right, p1, $1, $2)])
> +
> +dnl OVS_VSCTL([namespace], [sub-command])
> +dnl
> +dnl Runs `ovs-vsctl 'sub-command'` in 'namespace'
> +m4_define([OVS_VSCTL],
> + [[ip netns exec $1 ovs-vsctl --db unix:$ovs_base/$1/db.sock $2 ]])
> +m4_define([OVS_VSCTL_LEFT], [OVS_VSCTL(left, $1)])
> +m4_define([OVS_VSCTL_RIGHT], [OVS_VSCTL(right, $1)])
> +
> +dnl CHECK_LIBRESWAN()
> +dnl
> +dnl Check if necessary Libreswan dependencies are available on the test machine
> +m4_define([CHECK_LIBRESWAN],
> + [dnl Skip tests if system has not been set up for Libreswan
> + AT_SKIP_IF([!(ipsec --version | grep Libreswan)])
> + AT_SKIP_IF([test ! -x $(which certutil)])
> + AT_SKIP_IF([test ! -x $(which pk12util)])
> + AT_SKIP_IF([test ! -x $(which openssl)])
> + dnl If '$ovs_base' is too long, the following Libreswan issue will trigger
> + dnl so we check that it is not too long and skip test if it is.
> + dnl https://github.com/libreswan/libreswan/issues/428
> + AT_SKIP_IF([test "${#ovs_base}" -gt "90" ])])
> +
> +dnl IPSEC_STATUS_LOADED([])
> +dnl
> +dnl Get number of loaded connections from ipsec status
> +m4_define([IPSEC_STATUS_LOADED], [ipsec status --rundir $ovs_base/$1 | \
> + grep "Total IPsec connections" | \
> + sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m'])
> +
> +dnl IPSEC_STATUS_ACTIVE([])
> +dnl
> +dnl Get number of active connections from ipsec status
> +m4_define([IPSEC_STATUS_ACTIVE], [ipsec status --rundir $ovs_base/$1 | \
> + grep "Total IPsec connections" | \
> + sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m'])
> +
> +dnl CHECK_ESP_TRAFFIC()
> +dnl
> +dnl Checks for connectivity between nodes and that the underlay traffic is ESP.
> +m4_define([CHECK_ESP_TRAFFIC],
> + [dnl Add test interfaces for pinging
> + NS_EXEC([left], [ip addr add 192.0.0.1/24 dev br-ipsec])
> + NS_EXEC([left], [ip link set dev br-ipsec up])
> +
> + NS_EXEC([right], [ip addr add 192.0.0.2/24 dev br-ipsec])
> + NS_EXEC([right], [ip link set dev br-ipsec up])
> +
> +
> + dnl Capture any underlay esp packets
> + tcpdump -l -i ovs-p0 esp > $ovs_base/left/tcpdump.log &
> + on_exit "kill $!"
> + tcpdump -l -i ovs-p1 esp > $ovs_base/right/tcpdump.log &
I'd suggest to include -n and -nn to avoid DNS and converting
protocols and ports because those take extra time sometimes.
I am also facing some issues like this one for #145:
tcpdump: verbose output suppressed, use -v[v]... for full protocol
decode
listening on ovs-p1, link-type EN10MB (Ethernet), snapshot length
262144 bytes
system-ipsec.at:323: wait failed after 30 seconds
./ovs-macros.at:242: hard failure
0 packets captured
0 packets received by filter
0 packets dropped by kernel
0 packets captured
0 packets received by filter
0 packets dropped by kernel
And this one:
--- - 2021-03-31 17:30:04.094358592 -0300
+++
/root/upstream/ovs/tests/system-kmod-testsuite.dir/at-groups/143/stdout
2021-03-31 17:30:04.088889311 -0300
@@ -1,2 +1,2 @@
-3 packets transmitted, 3 received, 0% packet loss, time 0ms
+4 packets transmitted, 3 received, 25% packet loss, time 0ms
Those suggests the ping might be starting too soon or tunnel is not
established. Failures seem random.
Any idea? Otherwise I will troubleshoot this further tomorrow.
fbl
> + on_exit "kill $!"
> +
> + dnl Wait for all loaded connections to be active
> + OVS_WAIT_UNTIL([test `IPSEC_STATUS_LOADED(left)` -eq `IPSEC_STATUS_ACTIVE(left)`])
> + OVS_WAIT_UNTIL([test `IPSEC_STATUS_LOADED(right)` -eq `IPSEC_STATUS_ACTIVE(right)`])
> +
> + dnl Ping over IPsec tunnel
> + NS_CHECK_EXEC([left], [ping -q -c 3 -i 0.3 -w 2 192.0.0.2 | FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> + NS_CHECK_EXEC([right], [ping -q -c 3 -i 0.3 -w 2 192.0.0.1 | FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +
> + dnl Check for esp traffic
> + dnl Note: Geneve tests may not work on older kernels due to CVE-2020-25645
> + dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> + AT_CHECK([cat $ovs_base/left/tcpdump.log | grep ESP], [0], [stdout], [stderr])
> + AT_CHECK([cat $ovs_base/right/tcpdump.log | grep ESP], [0], [stdout], [stderr])])
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, localip, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.2 options:local_ip=10.1.1.1 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.1 options:local_ip=10.1.1.2 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, self-signed)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve self-signed])
> +dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Create and set self-signed certs
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log req -u left
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log req -u right
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log self-sign left
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log self-sign right
> +OVS_VSCTL_LEFT(set Open_vSwitch . \
> + other_config:certificate=${ovs_base}/left-cert.pem \
> + other_config:private_key=${ovs_base}/left-privkey.pem)
> +OVS_VSCTL_RIGHT(set Open_vSwitch . \
> + other_config:certificate=${ovs_base}/right-cert.pem \
> + other_config:private_key=${ovs_base}/right-privkey.pem)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.2 options:remote_cert=${ovs_base}/right-cert.pem)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.1 options:remote_cert=${ovs_base}/left-cert.pem)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, ca-signed)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve ca-signed])
> +dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Create and set ca-signed certs
> +ovs-pki --force -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log init
> +ovs-pki -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log req+sign -u left
> +ovs-pki -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log req+sign -u right
> +OVS_VSCTL_LEFT(set Open_vSwitch . \
> + other_config:ca_cert=${ovs_base}/switchca/cacert.pem \
> + other_config:certificate=${ovs_base}/left-cert.pem \
> + other_config:private_key=${ovs_base}/left-privkey.pem)
> +OVS_VSCTL_RIGHT(set Open_vSwitch . \
> + other_config:ca_cert=${ovs_base}/switchca/cacert.pem \
> + other_config:certificate=${ovs_base}/right-cert.pem \
> + other_config:private_key=${ovs_base}/right-privkey.pem)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.2 options:remote_name=right)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=10.1.1.1 options:remote_name=left)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, gre, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 gre psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=gre \
> + options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=gre \
> + options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, vxlan, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4, vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, vxlan, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=fd01::102 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=fd01::101 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, vxlan, localip, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=fd01::102 options:local_ip=fd01::101 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan \
> + options:remote_ip=fd01::101 options:local_ip=fd01::102 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, geneve, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=fd01::102 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
> + options:remote_ip=fd01::101 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> diff --git a/tests/system-kmod-testsuite.at b/tests/system-kmod-testsuite.at
> index 3de0290c02f4..a595baf92987 100644
> --- a/tests/system-kmod-testsuite.at
> +++ b/tests/system-kmod-testsuite.at
> @@ -25,3 +25,4 @@ m4_include([tests/system-kmod-macros.at])
> m4_include([tests/system-traffic.at])
> m4_include([tests/system-layer3-tunnels.at])
> m4_include([tests/system-interface.at])
> +m4_include([tests/system-ipsec.at])
> --
> 2.27.0
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
--
fbl
More information about the dev
mailing list