testing: added first openbsd interop test interop-ikev2-openbsd-01

This replaces an old stub test case. Signed-off-by: Paul Wouters <pwouters@redhat.com>
libreswan · Aug 29, 2020 · 5fad89b · 5fad89b
1 parent c8f2494
commit 5fad89b
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 72 deletions.
diff --git a/testing/pluto/interop-ikev2-openbsd-01/description.txt b/testing/pluto/interop-ikev2-openbsd-01/description.txt
@@ -1,20 +1,3 @@
 Basic pluto with IKEv2 using PSK with libreswan on the initiator (west), and openbsd on the responder.
 
-This is not meant (yet) to run automatically
-
-opnbsd must have the iked package installed (openiked)
-
-On openbsd, this will look like:
-
-openbsd# ipsecctl -s all
-FLOWS:
-flow esp in from 192.0.1.0/24 to 192.0.2.0/24 peer 192.1.2.45 srcid FQDN/east dstid FQDN/west type use
-flow esp out from 192.0.2.0/24 to 192.0.1.0/24 peer 192.1.2.45 srcid FQDN/east dstid FQDN/west type require
-flow esp out from ::/0 to ::/0 type deny
-
-SAD:
-esp tunnel from 192.1.2.45 to 192.1.2.23 spi 0x351977b3 auth hmac-sha2-256 enc aes-256
-esp tunnel from 192.1.2.23 to 192.1.2.45 spi 0x531511aa auth hmac-sha2-256 enc aes-256
-
-
-note it seems openbsd does not properly support an ipv4 and ipv6 tunnel using the same IKE SA
+openbsd must have the iked package installed
diff --git a/testing/pluto/interop-ikev2-openbsd-01/final.sh b/testing/pluto/interop-ikev2-openbsd-01/final.sh
@@ -1,5 +1,5 @@
 # check output on openbsd end
-test -f /sbin/ipsecctl && ipsecctl -s all  
+test -f /sbin/ipsecctl && ipsecctl -s all | sort 
 ../bin/check-for-core.sh
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
 : ==== end ====
diff --git a/.../pluto/interop-ikev2-openbsd-01/east.conf → ...to/interop-ikev2-openbsd-01/openbsde.conf b/.../pluto/interop-ikev2-openbsd-01/east.conf → ...to/interop-ikev2-openbsd-01/openbsde.conf
diff --git a/testing/pluto/interop-ikev2-openbsd-01/openbsde.console.txt b/testing/pluto/interop-ikev2-openbsd-01/openbsde.console.txt
@@ -0,0 +1,37 @@
+# note swan-prep does not yet supprt iked
+# note swan-prep does not yet supprtoes not yet supprt iked
+openbsde #
+ #/testing/guestbin/swan-prep
+#/testing/guestbin/swan-prep
+openbsde #
+ cp openbsde.conf /etc/iked.conf
+cp openbsde.conf /etc/iked.conf
+openbsde #
+ chmod 600 /etc/iked.conf
+chmod 600 /etc/iked.conf
+openbsde #
+ /sbin/iked
+/sbin/iked
+openbsde #
+ echo "initdone"
+echo "initdone"
+initdone
+openbsde #
+ # check output on openbsd end
+# check output on openbsd end
+openbsde #
+ test -f /sbin/ipsecctl && ipsecctl -s all | sort
+test -f /sbin/ipsecctl && ipsecctl -cctl && ipsecctl -s all | sort
+FLOWS:
+SAD:
+esp tunnel from 192.1.2.23 to 192.1.2.45 spi 0xSPISPI auth hmac-sha2-256 enc aes-256
+esp tunnel from 192.1.2.45 to 192.1.2.23 spi 0xSPISPI auth hmac-sha2-256 enc aes-256
+flow esp in from 192.0.1.0/24 to 192.0.2.0/24 peer 192.1.2.45 srcid FQDN/east dstid FQDN/west type require
+flow esp out from 192.0.2.0/24 to 192.0.1.0/24 peer 192.1.2.45 srcid FQDN/east dstid FQDN/west type require
+openbsde #
+ ../bin/check-for-core.sh
+../bin/check-for-core.sh
+openbsde #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+if [ -f /sbin/ausearch ]; then auseaarch ]; then ausearch -r -m avc -ts recent ; fi
+
diff --git a/...luto/interop-ikev2-openbsd-01/eastinit.sh → .../interop-ikev2-openbsd-01/openbsdeinit.sh b/...luto/interop-ikev2-openbsd-01/eastinit.sh → .../interop-ikev2-openbsd-01/openbsdeinit.sh
@@ -1,6 +1,6 @@
 # note swan-prep does not yet supprt iked 
 #/testing/guestbin/swan-prep
-cp east.conf /etc/iked.conf
+cp openbsde.conf /etc/iked.conf
 chmod 600 /etc/iked.conf
 /sbin/iked
 echo "initdone"
diff --git a/testing/pluto/interop-ikev2-openbsd-01/testparams.sh b/testing/pluto/interop-ikev2-openbsd-01/testparams.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+. ../../default-testparams.sh
+OPENBSDE_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS openbsd.sed"
diff --git a/testing/pluto/interop-ikev2-openbsd-01/west.console.txt b/testing/pluto/interop-ikev2-openbsd-01/west.console.txt
@@ -2,8 +2,8 @@
 west #
  # confirm that the network is alive
 west #
- ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
-destination -I 192.0.1.254 192.0.2.254 is alive
+ ../../pluto/bin/wait-until-alive -I 192.1.2.45 192.1.2.23
+destination -I 192.1.2.45 192.1.2.23 is alive
 west #
  # ensure that clear text does not get through
 west #
@@ -21,71 +21,51 @@ Redirecting to: [initsystem]
 west #
  /testing/pluto/bin/wait-until-pluto-started
 west #
- ipsec auto --add westnet-eastnet-ipv4-psk-ikev2
-002 added IKEv2 connection "westnet-eastnet-ipv4-psk-ikev2"
+ ipsec auto --add westnet-eastnet-ikev2
+002 added IKEv2 connection "westnet-eastnet-ikev2"
+west #
+ ipsec auto --add westnet-eastnet-ikev2-ipv6
+002 added IKEv2 connection "westnet-eastnet-ikev2-ipv6"
 west #
  ipsec whack --impair suppress-retransmits
 west #
  echo "initdone"
 initdone
 west #
- ipsec auto --up westnet-eastnet-ipv4-psk-ikev2
-1v2 "westnet-eastnet-ipv4-psk-ikev2" #1: initiating IKEv2 connection
-1v2 "westnet-eastnet-ipv4-psk-ikev2" #1: sent IKE_SA_INIT request
-1v2 "westnet-eastnet-ipv4-psk-ikev2" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "westnet-eastnet-ipv4-psk-ikev2" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
-003 "westnet-eastnet-ipv4-psk-ikev2" #1: authenticated using authby=secret
-002 "westnet-eastnet-ipv4-psk-ikev2" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
-004 "westnet-eastnet-ipv4-psk-ikev2" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+ ipsec auto --up westnet-eastnet-ikev2
+1v2 "westnet-eastnet-ikev2" #1: initiating IKEv2 connection
+1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request
+002 "westnet-eastnet-ikev2" #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH MODP2048; resending with suggested DH DH31
+1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request
+1v2 "westnet-eastnet-ikev2" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH31}
+002 "westnet-eastnet-ikev2" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
+003 "westnet-eastnet-ikev2" #1: authenticated using authby=secret
+002 "westnet-eastnet-ikev2" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
+004 "westnet-eastnet-ikev2" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
 west #
  ping -n -c 4 -I 192.0.1.254 192.0.2.254
 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
-64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
-64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
-64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
-64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=1 ttl=255 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=2 ttl=255 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=3 ttl=255 time=0.XXX ms
+64 bytes from 192.0.2.254: icmp_seq=4 ttl=255 time=0.XXX ms
 --- 192.0.2.254 ping statistics ---
 4 packets transmitted, 4 received, 0% packet loss, time XXXX
 rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
+west #
+ ipsec trafficstatus
+006 #2: "westnet-eastnet-ikev2", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
+west #
+ # fails
+west #
+ #ipsec auto --up  westnet-eastnet-ikev2-ipv6
 west #
  echo done
 done
 west #
- ../../pluto/bin/ipsec-look.sh
-west NOW
-XFRM state:
-src 192.1.2.23 dst 192.1.2.45
-	proto esp spi 0xSPISPI reqid REQID mode tunnel
-	replay-window 32 flag af-unspec
-	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
-src 192.1.2.45 dst 192.1.2.23
-	proto esp spi 0xSPISPI reqid REQID mode tunnel
-	replay-window 32 flag af-unspec
-	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
-XFRM policy:
-src 192.0.1.0/24 dst 192.0.2.0/24
-	dir out priority 2084815 ptype main
-	tmpl src 192.1.2.45 dst 192.1.2.23
-		proto esp reqid REQID mode tunnel
-src 192.0.2.0/24 dst 192.0.1.0/24
-	dir fwd priority 2084815 ptype main
-	tmpl src 192.1.2.23 dst 192.1.2.45
-		proto esp reqid REQID mode tunnel
-src 192.0.2.0/24 dst 192.0.1.0/24
-	dir in priority 2084815 ptype main
-	tmpl src 192.1.2.23 dst 192.1.2.45
-		proto esp reqid REQID mode tunnel
-XFRM done
-IPSEC mangle TABLES
-NEW_IPSEC_CONN mangle TABLES
-ROUTING TABLES
-default via 192.1.2.254 dev eth1
-192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
-192.0.2.0/24 via 192.1.2.23 dev eth1
-192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
-NSS_CERTIFICATES
-Certificate Nickname                                         Trust Attributes
-                                                             SSL,S/MIME,JAR/XPI
+ # check output on openbsd end
+west #
+ test -f /sbin/ipsecctl && ipsecctl -s all | sort
 west #
  ../bin/check-for-core.sh
 west #

diff --git a/testing/pluto/interop-ikev2-openbsd-01/westinit.sh b/testing/pluto/interop-ikev2-openbsd-01/westinit.sh
@@ -1,6 +1,6 @@
 /testing/guestbin/swan-prep
 # confirm that the network is alive
-../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
+../../pluto/bin/wait-until-alive -I 192.1.2.45 192.1.2.23
 # ensure that clear text does not get through
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT