TEST: IPSEC NAT-T with UDP header

Change-Id: I5ef8b3f4be40a7a0b0f1cb90dc0e15a4711e8664
Signed-off-by: Neale Ranns <nranns@cisco.com>

src/vnet/ipsec/ipsec.api

@@ -235,6 +235,7 @@ enum ipsec_sad_flags
 
   /* come-on Ole please fix this */
   IPSEC_API_SAD_COMBO_12 = 12,
+  IPSEC_API_SAD_COMBO_18 = 18,
   IPSEC_API_SAD_COMBO_20 = 20,
 };
 

test/template_ipsec.py

@@ -1,7 +1,7 @@
 import unittest
 import socket
 
-from scapy.layers.inet import IP, ICMP, TCP
+from scapy.layers.inet import IP, ICMP, TCP, UDP
 from scapy.layers.ipsec import SecurityAssociation
 from scapy.layers.l2 import Ether, Raw
 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
@@ -41,6 +41,8 @@ class IPsecIPv4Params(object):
                                   IPSEC_API_CRYPTO_ALG_AES_CBC_128)
         self.crypt_algo = 'AES-CBC'  # scapy name
         self.crypt_key = 'JPjyOWBeVEQiMe7h'
+        self.flags = 0
+        self.nat_header = None
 
 
 class IPsecIPv6Params(object):
@@ -73,6 +75,8 @@ class IPsecIPv6Params(object):
                                   IPSEC_API_CRYPTO_ALG_AES_CBC_256)
         self.crypt_algo = 'AES-CBC'  # scapy name
         self.crypt_key = 'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
+        self.flags = 0
+        self.nat_header = None
 
 
 class TemplateIpsec(VppTestCase):
@@ -168,29 +172,35 @@ class TemplateIpsec(VppTestCase):
             auth_algo=params.auth_algo, auth_key=params.auth_key,
             tunnel_header=ip_class_by_addr_type[params.addr_type](
                 src=self.tun_if.remote_addr[params.addr_type],
-                dst=self.tun_if.local_addr[params.addr_type]))
+                dst=self.tun_if.local_addr[params.addr_type]),
+            nat_t_header=params.nat_header)
         vpp_tun_sa = SecurityAssociation(
             self.encryption_type, spi=params.scapy_tun_spi,
             crypt_algo=params.crypt_algo, crypt_key=params.crypt_key,
             auth_algo=params.auth_algo, auth_key=params.auth_key,
             tunnel_header=ip_class_by_addr_type[params.addr_type](
                 dst=self.tun_if.remote_addr[params.addr_type],
-                src=self.tun_if.local_addr[params.addr_type]))
+                src=self.tun_if.local_addr[params.addr_type]),
+            nat_t_header=params.nat_header)
         return vpp_tun_sa, scapy_tun_sa
 
     def configure_sa_tra(self, params):
-        params.scapy_tra_sa = SecurityAssociation(self.encryption_type,
+        params.scapy_tra_sa = SecurityAssociation(
-                                                  spi=params.vpp_tra_spi,
+            self.encryption_type,
-                                                  crypt_algo=params.crypt_algo,
+            spi=params.vpp_tra_spi,
-                                                  crypt_key=params.crypt_key,
+            crypt_algo=params.crypt_algo,
-                                                  auth_algo=params.auth_algo,
+            crypt_key=params.crypt_key,
-                                                  auth_key=params.auth_key)
+            auth_algo=params.auth_algo,
-        params.vpp_tra_sa = SecurityAssociation(self.encryption_type,
+            auth_key=params.auth_key,
-                                                spi=params.scapy_tra_spi,
+            nat_t_header=params.nat_header)
-                                                crypt_algo=params.crypt_algo,
+        params.vpp_tra_sa = SecurityAssociation(
-                                                crypt_key=params.crypt_key,
+            self.encryption_type,
-                                                auth_algo=params.auth_algo,
+            spi=params.scapy_tra_spi,
-                                                auth_key=params.auth_key)
+            crypt_algo=params.crypt_algo,
+            crypt_key=params.crypt_key,
+            auth_algo=params.auth_algo,
+            auth_key=params.auth_key,
+            nat_t_header=params.nat_header)
 
 
 class IpsecTcpTests(object):
@@ -210,7 +220,7 @@ class IpsecTcpTests(object):
         self.assert_packet_checksums_valid(decrypted)
 
 
-class IpsecTraTests(object):
+class IpsecTra4Tests(object):
     def test_tra_anti_replay(self, count=1):
         """ ipsec v4 transport anti-reply test """
         p = self.params[socket.AF_INET]
@@ -320,6 +330,8 @@ class IpsecTraTests(object):
         """ ipsec v4 transport burst test """
         self.test_tra_basic(count=257)
 
+
+class IpsecTra6Tests(object):
     def test_tra_basic6(self, count=1):
         """ ipsec v6 transport basic test """
         self.vapi.cli("clear errors")
@@ -358,6 +370,10 @@ class IpsecTraTests(object):
         self.test_tra_basic6(count=257)
 
 
+class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
+    pass
+
+
 class IpsecTun4Tests(object):
     def test_tun_basic44(self, count=1):
         """ ipsec 4o4 tunnel basic test """
@@ -477,7 +493,7 @@ class IpsecTun6Tests(object):
         self.test_tun_basic66(count=257)
 
 
-class IpsecTunTests(IpsecTun4Tests, IpsecTun6Tests):
+class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
     pass
 
 

test/test_ipsec_ah.py

@@ -4,7 +4,7 @@ import unittest
 from scapy.layers.ipsec import AH
 
 from framework import VppTestRunner
-from template_ipsec import TemplateIpsec, IpsecTraTests, IpsecTunTests
+from template_ipsec import TemplateIpsec, IpsecTra46Tests, IpsecTun46Tests
 from template_ipsec import IpsecTcpTests
 from vpp_ipsec import VppIpsecSA, VppIpsecSpd, VppIpsecSpdEntry,\
         VppIpsecSpdItfBinding
@@ -203,7 +203,7 @@ class TemplateIpsecAh(TemplateIpsec):
                          priority=10).add_vpp_config()
 
 
-class TestIpsecAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests):
+class TestIpsecAh1(TemplateIpsecAh, IpsecTra46Tests, IpsecTun46Tests):
     """ Ipsec AH - TUN & TRA tests """
     tra4_encrypt_node_name = "ah4-encrypt"
     tra4_decrypt_node_name = "ah4-decrypt"