Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: 1d446463ea
Fetching contributors…

Cannot retrieve contributors at this time

316 lines (297 sloc) 8.716 kb
AT_BANNER([ovs-monitor-ipsec])
AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
OVS_DBDIR=`pwd`; export OVS_DBDIR
OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin
AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
echo "racoon: $@" >&3
exit 0
])
chmod +x etc/init.d/racoon
AT_DATA([usr/sbin/setkey], [dnl
#! /bin/sh
exec >&3
echo "setkey:"
while read line; do
echo "> $line"
done
])
chmod +x usr/sbin/setkey
touch etc/racoon/certs/ovs-stale.pem
ovs_vsctl () {
ovs-vsctl --timeout=5 --no-wait -vreconnect:emer --db=unix:socket "$@"
}
trim () { # Removes blank lines and lines starting with # from input.
sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
}
###
### Start ovsdb-server.
###
OVS_VSCTL_SETUP
###
### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
###
AT_CHECK(
[$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
"--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
unix:socket 2>log 3>actions &])
AT_CAPTURE_FILE([log])
AT_CAPTURE_FILE([actions])
OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl \
-- add-br br0 \
-- add-port br0 gre0 \
-- set interface gre0 type=ipsec_gre \
options:remote_ip=1.2.3.4 \
options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
exchange_mode main;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs_vsctl \
-- add-port br0 gre1 \
-- set Interface gre1 type=ipsec_gre \
options:remote_ip=2.3.4.5 \
options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
options:certificate='"/cert.pem"' \
options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
exchange_mode main;
nat_traversal on;
ike_frag on;
certificate_type x509 "/cert.pem" "/key.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
verify_identifier on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])
###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
###
### Add an SSL certificate interface.
###
cp cert.pem ssl-cert.pem
cp key.pem ssl-key.pem
AT_DATA([ssl-cacert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real CA certificate)
-----END CERTIFICATE-----
])
AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
-- add-port br0 gre2 \
-- set Interface gre2 type=ipsec_gre \
options:remote_ip=3.4.5.6 \
options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
options:use_ssl_cert='"true"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
AT_CHECK([sed '1,29d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 3.4.5.6 {
exchange_mode main;
nat_traversal on;
ike_frag on;
certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
verify_identifier on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])
###
### Delete the SSL certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre2])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
AT_CHECK([sed '1,33d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
Jump to Line
Something went wrong with that request. Please try again.