IPSEC: script to bounce IPSEC traffic through a pipe to test encrypt and decrpyt

Change-Id: I262a9412951b5df616920a8fad16c61eae96d0cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-04 13:44:42 +00:00
parent c919982a0f
commit fd06084a9e
2 changed files with 99 additions and 0 deletions
--- a/src/scripts/vnet/ipsec
+++ b/src/scripts/vnet/ipsec
@ -0,0 +1,66 @@
+
+create packet-generator interface pg0
+create packet-generator interface pg1
+
+pipe create
+
+ip table add 1
+set int ip table pg1 1
+set int ip table pipe0.1 1
+
+set int ip address pg0 192.168.0.1/24
+set int ip address pg1 192.168.1.1/24
+
+set int ip address pipe0.0 10.0.0.1/24
+set int ip address pipe0.1 10.0.0.2/24
+
+set int state pg0 up
+set int state pg1 up
+set int state pipe0 up
+
+create ipsec tunnel local-ip 10.0.0.1 remote-ip 10.0.0.2 local-spi 100 remote-spi 101 local-crypto-key A11E51E5B1E0 remote-crypto-key A11E51E5B1E0 crypto-alg aes-cbc-128
+
+set int state ipsec0 up
+set int unnum ipsec0 use pg0
+
+create ipsec tunnel local-ip 10.0.0.2 remote-ip 10.0.0.1 local-spi 101 remote-spi 100 tx-table 1 local-crypto-key A11E51E5B1E0 remote-crypto-key A11E51E5B1E0 crypto-alg aes-cbc-128 
+
+set int state ipsec1 up
+set int ip table ipsec1 1
+set int unnum ipsec1 use pg1
+
+ip route add 192.168.1.0/24 via ipsec0
+set ip arp pg1 192.168.1.2 00:11:22:33:44:55
+ip route add table 1 192.168.0.0/24 via ipsec1
+set ip arp pg0 192.168.0.2 00:11:22:33:44:66
+
+trace add pg-input 100
+
+packet-generator new {
+  name ipsec1
+  limit 1
+  rate 1e4
+  node ip4-input
+  interface pg0
+  size 100-100
+  data {
+   UDP: 192.168.0.2 -> 192.168.1.2
+   UDP: 4321 -> 1234
+    length 72
+    incrementing 100
+  }
+}
+packet-generator new {
+  name ipsec2
+  limit 1
+  rate 1e4
+  node ip4-input
+  interface pg1
+  size 100-100
+  data {
+   UDP: 192.168.1.2 -> 192.168.0.2
+   UDP: 4321 -> 1234
+    length 72
+    incrementing 100
+  }
+}
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@ -619,6 +619,7 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
  u8 ipv4_set = 0;
  u8 ipv6_set = 0;
  clib_error_t *error = NULL;
+  ipsec_key_t rck, lck, lik, rik;

  clib_memset (&a, 0, sizeof (a));
  a.is_add = 1;
@ -659,6 +660,28 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
 	a.anti_replay = 1;
      else if (unformat (line_input, "tx-table %u", &a.tx_table_id))
 	;
+      else
+	if (unformat
+	    (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck))
+	;
+      else
+	if (unformat
+	    (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck))
+	;
+      else if (unformat (line_input, "crypto-alg %U",
+			 unformat_ipsec_crypto_alg, &a.crypto_alg))
+	;
+      else
+	if (unformat
+	    (line_input, "local-integ-key %U", unformat_ipsec_key, &lik))
+	;
+      else
+	if (unformat
+	    (line_input, "rmote-integ-key %U", unformat_ipsec_key, &rik))
+	;
+      else if (unformat (line_input, "integ-alg %U",
+			 unformat_ipsec_integ_alg, &a.integ_alg))
+	;
      else if (unformat (line_input, "del"))
 	a.is_add = 0;
      else
@ -681,6 +704,16 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
  if (ipv4_set && ipv6_set)
    return clib_error_return (0, "both IPv4 and IPv6 addresses specified");

+  clib_memcpy (a.local_crypto_key, lck.data, lck.len);
+  a.local_crypto_key_len = lck.len;
+  clib_memcpy (a.remote_crypto_key, rck.data, rck.len);
+  a.remote_crypto_key_len = rck.len;
+
+  clib_memcpy (a.local_integ_key, lck.data, lck.len);
+  a.local_integ_key_len = lck.len;
+  clib_memcpy (a.remote_integ_key, rck.data, rck.len);
+  a.remote_integ_key_len = rck.len;
+
  rv = ipsec_add_del_tunnel_if (&a);

  switch (rv)