Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a simple example of ESP tunnel mode manual configuration #79

Merged
merged 1 commit into from
Jan 2, 2022
Merged

Add a simple example of ESP tunnel mode manual configuration #79

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions examples/basic_ipsec/static_esp_tunnel_simple/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Simple statically-configured ESP tunnel mode example just works

Establish SA bidirectionally between R0 and R1. Apply xfrm allow policy for the traffic between C0 and C1.

![topo](topo.png)

## Demo

Try `tinet test`. Below is an example output. You can see the ICMP packets are correctly encapsulated with ESP header.

```
===================================================
Starting packet capture on R0 (net1) and R1 (net1)
===================================================
tcpdump: listening on net1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
tcpdump: listening on net1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
===================================================
ping from C0 to C1
===================================================
PING 10.0.1.2 (10.0.1.2) 56(84) bytes of data.
64 bytes from 10.0.1.2: icmp_seq=1 ttl=62 time=0.081 ms

--- 10.0.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.081/0.081/0.081/0.000 ms
===================================================
Stopping packet capture on R0 (net1) and R1 (net1)
===================================================
5 packets captured
5 packets received by filter
0 packets dropped by kernel
5 packets captured
5 packets received by filter
0 packets dropped by kernel
===================================================
Packet capture on R0 (net1)
===================================================
16:23:28.663259 ARP, Request who-has 192.168.0.2 tell 192.168.0.1, length 28
16:23:28.663267 ARP, Reply 192.168.0.2 is-at c6:b7:02:a9:e9:6f, length 28
16:23:28.663267 IP 192.168.0.1 > 192.168.0.2: ESP(spi=0x00000001,seq=0x1), length 120
16:23:28.663294 IP 192.168.0.2 > 192.168.0.1: ESP(spi=0x00000001,seq=0x1), length 120
16:23:28.663294 IP 10.0.1.2 > 10.0.0.2: ICMP echo reply, id 62643, seq 1, length 64
reading from file /tmp/record.pcap, link-type EN10MB (Ethernet), snapshot length 262144
===================================================
Packet capture on R1 (net1)
===================================================
16:23:28.663261 ARP, Request who-has 192.168.0.2 tell 192.168.0.1, length 28
16:23:28.663267 ARP, Reply 192.168.0.2 is-at c6:b7:02:a9:e9:6f, length 28
16:23:28.663268 IP 192.168.0.1 > 192.168.0.2: ESP(spi=0x00000001,seq=0x1), length 120
16:23:28.663268 IP 10.0.0.2 > 10.0.1.2: ICMP echo request, id 62643, seq 1, length 64
16:23:28.663294 IP 192.168.0.2 > 192.168.0.1: ESP(spi=0x00000001,seq=0x1), length 120
reading from file /tmp/record.pcap, link-type EN10MB (Ethernet), snapshot length 262144
```
85 changes: 85 additions & 0 deletions examples/basic_ipsec/static_esp_tunnel_simple/spec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
nodes:
- name: C0
image: nicolaka/netshoot:latest
interfaces:
- name: net0
type: direct
args: R0#net0
- name: R0
image: nicolaka/netshoot:latest
interfaces:
- name: net0
type: direct
args: C0#net0
- name: net1
type: direct
args: R1#net1
- name: R1
image: nicolaka/netshoot:latest
interfaces:
- name: net0
type: direct
args: C1#net0
- name: net1
type: direct
args: R0#net1
- name: C1
image: nicolaka/netshoot:latest
interfaces:
- name: net0
type: direct
args: R1#net0
node_configs:
- name: C0
cmds:
- cmd: ip addr add 10.0.0.2/24 dev net0
- cmd: ip route add default via 10.0.0.1
- name: R0
cmds:
- cmd: ip addr add 10.0.0.1/24 dev net0
- cmd: ip addr add 192.168.0.1/24 dev net1
- cmd: ip route add 10.0.1.0/24 via 192.168.0.2
- cmd: ip xfrm state add src 192.168.0.2 dst 192.168.0.1 proto esp spi 0x1 aead "rfc4106(gcm(aes))" 0x0000000000112233445566778899aabbccddeeff 128 mode tunnel
- cmd: ip xfrm state add src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x1 aead "rfc4106(gcm(aes))" 0x0000000000112233445566778899aabbccddeeff 128 mode tunnel
- cmd: ip xfrm policy add src 10.0.0.2/32 dst 10.0.1.2/32 dir out tmpl src 192.168.0.1 dst 192.168.0.2 proto esp spi 1 mode tunnel
- cmd: ip xfrm policy add src 10.0.1.2/32 dst 10.0.0.2/32 dir in tmpl src 192.168.0.2 dst 192.168.0.1 proto esp spi 1 mode tunnel
- cmd: ip xfrm policy add src 10.0.1.2/32 dst 10.0.0.2/32 dir fwd tmpl src 192.168.0.2 dst 192.168.0.1 proto esp spi 1 mode tunnel
- name: R1
cmds:
- cmd: ip addr add 10.0.1.1/24 dev net0
- cmd: ip addr add 192.168.0.2/24 dev net1
- cmd: ip route add 10.0.0.0/24 via 192.168.0.1
- cmd: ip xfrm state add src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x1 aead "rfc4106(gcm(aes))" 0x0000000000112233445566778899aabbccddeeff 128 mode tunnel
- cmd: ip xfrm state add src 192.168.0.2 dst 192.168.0.1 proto esp spi 0x1 aead "rfc4106(gcm(aes))" 0x0000000000112233445566778899aabbccddeeff 128 mode tunnel
- cmd: ip xfrm policy add src 10.0.1.2/32 dst 10.0.0.2/32 dir out tmpl src 192.168.0.2 dst 192.168.0.1 proto esp spi 1 mode tunnel
- cmd: ip xfrm policy add src 10.0.0.2/32 dst 10.0.1.2/32 dir in tmpl src 192.168.0.1 dst 192.168.0.2 proto esp spi 1 mode tunnel
- cmd: ip xfrm policy add src 10.0.0.2/32 dst 10.0.1.2/32 dir fwd tmpl src 192.168.0.1 dst 192.168.0.2 proto esp spi 1 mode tunnel
- name: C1
cmds:
- cmd: ip addr add 10.0.1.2/24 dev net0
- cmd: ip route add default via 10.0.1.1
test:
- cmds:
- cmd: echo "==================================================="
- cmd: echo "Starting packet capture on R0 (net1) and R1 (net1)"
- cmd: echo "==================================================="
- cmd: docker exec R0 tcpdump -nni net1 -w /tmp/record.pcap 2>&1 > /dev/null &
- cmd: docker exec R1 tcpdump -nni net1 -w /tmp/record.pcap 2>&1 > /dev/null &
- cmd: sleep 3
- cmd: echo "==================================================="
- cmd: echo "ping from C0 to C1"
- cmd: echo "==================================================="
- cmd: docker exec C0 ping -c 1 10.0.1.2
- cmd: echo "==================================================="
- cmd: echo "Stopping packet capture on R0 (net1) and R1 (net1)"
- cmd: echo "==================================================="
- cmd: docker exec R0 pkill tcpdump
- cmd: docker exec R1 pkill tcpdump
- cmd: echo "==================================================="
- cmd: echo "Packet capture on R0 (net1)"
- cmd: echo "==================================================="
- cmd: docker exec R0 tcpdump -nnr /tmp/record.pcap
- cmd: echo "==================================================="
- cmd: echo "Packet capture on R1 (net1)"
- cmd: echo "==================================================="
- cmd: docker exec R1 tcpdump -nnr /tmp/record.pcap
Binary file added examples/basic_ipsec/static_esp_tunnel_simple/topo.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.