# $OpenBSD: Makefile,v 1.34 2021/12/21 13:50:35 tobhe Exp $
# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
REGRESS_SETUP_ONCE = setup
REGRESS_CLEANUP = cleanup
CLEANFILES = *.conf *.cnf *.csr *.key *.crt *.srl
LEFT_SSH ?=
RIGHT_SSH ?=
LEFT_ADDR ?=
RIGHT_ADDR ?=
.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR)
regress:
@echo this test needs two remote machines to operate
@echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined
@echo SKIPPED
.endif
TEST_FLOWS = \
[ -z $$tmode ] && tmode=tunnel; \
_ret=1; \
count=0; \
dynamic=${RIGHT_ADDR}; \
if [ -n "$$config_address" ]; then \
dynamic="172.16.13.[0-9]+"; \
fi; \
[ -z "$$maxwait" ] && maxwait=3; \
while [[ $$count -le $$maxwait ]]; do \
ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
flowleft=`echo "$$ipsecctlleft" \
| sed -E -n "/^flow $$flowtype in from $$dynamic\
to ${LEFT_ADDR} peer ${RIGHT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
flowright=`echo "$$ipsecctlright" \
| sed -E -n "/^flow $$flowtype in from ${LEFT_ADDR}\
to $$dynamic peer ${LEFT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
saleft_rtol=`echo "$$ipsecctlleft" \
| sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
saleft_ltor=`echo "$$ipsecctlleft" \
| sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
saright_rtol=`echo "$$ipsecctlright" \
| sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
saright_ltor=`echo "$$ipsecctlright" \
| sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \
-n "$$saright_ltor" && -n "$$saright_rtol" && \
-n "$$flowleft" && -n "$$flowright" ]]; then \
_ret=0; \
break; \
fi; \
let count=$$count+1; \
done; \
if [[ "$${_ret}" -ne 0 ]]; then \
echo "SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \
fi
TEST_PING = \
_ret=1; \
if [[ "${IPV}" == "6" ]]; then ping="ping6"; else ping="ping"; fi; \
dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & \
$$ping -w 1 -n -c 5 ${RIGHT_ADDR} > /dev/null && \
tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; \
kill -9 \\$$! > /dev/null 2>&1 || true"`; \
rtol=`echo "$$dump" \
| sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \
ltor=`echo "$$dump" \
| sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \
if [[ -z "$$rtol" || -z "$$ltor" ]]; then \
_ret=1; \
else \
_ret=0; \
fi; \
echo "$$dump"
TEST_SINGLEIKESA = \
count=`ssh ${LEFT_SSH} "ikectl show sa | grep -c iked_sas"`; \
if [[ "$$count" != "1" ]]; then \
echo "error: too many IKE SAs."; \
exit 1; \
fi
SETUP_CONFIG = \
from=$$local; \
to=$$peer; \
if [[ -z "$$mode" ]]; then mode="active"; fi; \
authstr=""; \
if [[ "$$auth" = "psk" ]]; then \
authstr="psk $$psk"; \
fi; \
ipcomp=""; \
if [[ "$$flowtype" = "ipcomp" ]]; then \
ipcomp="ipcomp"; \
fi; \
global=""; \
if [ "$$fragmentation" = true ]; then \
global="$${global}set fragmentation\n"; \
fi; \
if [ "$$singleikesa" = true ]; then \
global="$${global}set enforcesingleikesa\n"; \
fi; \
if [ "$$intermediate" = true ]; then \
global="$${global}set cert_partial_chain\n"; \
fi; \
confstr=""; \
if [ -n "$$config_address" ]; then \
if [ "$$side" = left ]; then \
mode=passive; \
confstr="config address $$config_address"; \
if [[ "$$config_address" == */* ]]; then \
to="dynamic"; \
else \
to="$$config_address"; \
fi; \
else \
mode=active; \
confstr="request address any"; \
if [[ "$$config_address" == */* ]]; then \
from="dynamic"; \
else \
from="$$config_address"; \
fi; \
fi; \
fi; \
echo "MODE=\"$$mode\"" >> $@_$$side.conf; \
echo "TMODE=\"$$tmode\"" >> $@_$$side.conf; \
echo "FROM=\"$$from\"" >> $@_$$side.conf; \
echo "TO=\"$$to\"" >> $@_$$side.conf; \
echo "LOCAL_ADDR=\"$$local\"" >> $@_$$side.conf; \
echo "PEER_ADDR=\"$$peer\"" >> $@_$$side.conf; \
echo "IPCOMP=\"$$ipcomp\"" >> $@_$$side.conf; \
echo "SRCID=\"\\\"$$srcid\\\"\"" >> $@_$$side.conf; \
echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
echo "$$global" >> $@_$$side.conf; \
cat ${.CURDIR}/iked.in >> $@_$$side.conf
DEPLOY_CONFIGS = \
chmod 0600 $@_left.conf; \
echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \
chmod 0600 $@_right.conf; \
echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH}; \
rm -f $@_left.conf $@_right.conf
SETUP_CONFIGS = \
if [[ "$$auth" = "psk" ]]; then \
psk=`openssl rand -hex 20`; \
fi; \
side=left; \
srcid=$$leftid; \
local=${LEFT_ADDR}; \
peer=${RIGHT_ADDR}; \
${SETUP_CONFIG}; \
side=right; \
srcid=$$rightid; \
local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
SETUP_SYSCTL = \
ssh ${LEFT_SSH} "sysctl $$sysctl"; \
ssh ${RIGHT_SSH} "sysctl $$sysctl"
SETUP_START = \
ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \
ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"
SETUP_RELOAD_RIGHT = \
ssh ${RIGHT_SSH} "ikectl reload"
SETUP_CERT = \
echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \
-out $$name-from-$$caname.csr; \
openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \
-req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
-CAcreateserial -out $$name-from-$$caname.crt
SETUP_INTERMEDIATE = \
echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
openssl genrsa -out $$name-from-$$caname.key 2048; \
openssl req -config $$name-from-$$caname.cnf -new -key $$name-from-$$caname.key -nodes \
-out $$name-from-$$caname.csr; \
openssl x509 -extfile $$name-from-$$caname.cnf -extensions v3_intermediate_ca \
-req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
-CAcreateserial -out $$name-from-$$caname.crt
SETUP_CA = \
openssl genrsa -out $$caname.key 2048; \
openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \
-new -x509 -key $$caname.key -out $$caname.crt
cleanup:
-ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
sysctl "net.inet.esp.udpencap_port=4500"; \
rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
-ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
sysctl "net.inet.esp.udpencap_port=4500"; \
rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \
right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt \
ca-none.crt left-from-ca-none.crt right-from-ca-none.crt \
intermediate-from-ca-none.crt left-from-intermediate-from-ca-none.crt \
right-from-intermediate-from-ca-none.crt
echo "cd /etc/iked\n \
put left-from-ca-both.crt certs\n \
put left-from-ca-right.crt certs\n \
put left-from-ca-none.crt certs\n \
put left-from-intermediate-from-ca-none.crt certs\n \
put right-from-ca-none.crt certs\n \
put left.key private/local.key\n \
put intermediate-from-ca-none.crt ca\n \
put ca-left.crt ca\n \
put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \
echo "cd /etc/iked\n \
put right-from-ca-both.crt certs\n \
put right-from-ca-left.crt certs\n \
put right-from-ca-none.crt certs\n \
put right-from-intermediate-from-ca-none.crt certs\n \
put left-from-ca-none.crt certs\n \
put right.key private/local.key\n \
put intermediate-from-ca-none.crt ca\n \
put ca-right.crt ca\n \
put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \
ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \
ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"
setup_pf: pf.in
echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${LEFT_SSH}
echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${RIGHT_SSH}
-ssh ${LEFT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
-ssh ${RIGHT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
setup: setup_pf setup_certs
.PHONY: setup_certs
test_flows:
${TEST_FLOWS}
left.key right.key:
openssl genrsa -out $@ 2048
ca-both.crt ca-both.key:
caname=ca-both; ${SETUP_CA}
left-from-ca-both.crt: ca-both.crt ca-both.key left.key
caname=ca-both; name=left; ${SETUP_CERT}
right-from-ca-both.crt: ca-both.crt ca-both.key right.key
caname=ca-both; name=right; ${SETUP_CERT}
ca-left.crt ca-left.key:
caname=ca-left; ${SETUP_CA}
right-from-ca-left.crt right.key: ca-left.crt ca-left.key
caname=ca-left; name=right; ${SETUP_CERT}
ca-right.crt ca-right.key:
caname=ca-right; ${SETUP_CA}
left-from-ca-right.crt left.key: ca-right.crt ca-right.key
caname=ca-right; name=left; ${SETUP_CERT}
ca-none.crt ca-none.key:
caname=ca-none; ${SETUP_CA}
left-from-ca-none.crt left.key: ca-none.crt ca-none.key
caname=ca-none; name=left; ${SETUP_CERT}
right-from-ca-none.crt right.key: ca-none.crt ca-none.key
caname=ca-none; name=right; ${SETUP_CERT}
intermediate-from-ca-none.crt intermediate-from-ca-none.key:
caname=ca-none name=intermediate; ${SETUP_INTERMEDIATE}
left-from-intermediate-from-ca-none.crt left.key: \
intermediate-from-ca-none.crt intermediate-from-ca-none.key
caname=intermediate-from-ca-none; name=left; ${SETUP_CERT}
right-from-intermediate-from-ca-none.crt right.key: \
intermediate-from-ca-none.crt intermediate-from-ca-none.key
caname=intermediate-from-ca-none; name=right; ${SETUP_CERT}
REGRESS_TARGETS = run-ping-fail
run-ping-fail:
ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true"
ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked || true"
${TEST_PING}; \
if [[ $$_ret -ne 1 ]]; then exit 1; fi
REGRESS_TARGETS += run-cert-single-ca
run-cert-single-ca:
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-cert-single-ca-asn1dn
run-cert-single-ca-asn1dn:
leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; \
rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-cert-no-ca
run-cert-no-ca:
leftid=left-from-ca-none; \
rightid=right-from-ca-none; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-config-address
run-config-address:
flowtype=esp; \
config_address=172.16.13.36; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
config_address=172.16.13.36; \
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-config-address-pool
run-config-address-pool:
flowtype=esp; \
config_address=172.16.13.36/31; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
config_address=172.16.13.36/31; \
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-dstid-fail
run-dstid-fail:
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
side=left; \
srcid=$$leftid; \
local=${LEFT_ADDR}; \
peer=${RIGHT_ADDR}; \
${SETUP_CONFIG}; \
side=right; \
mode=passive; \
srcid=$$rightid; \
local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; \
dstid="dstid invalid"; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
REGRESS_TARGETS += run-dstid
run-dstid:
flowtype=esp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
side=left; \
srcid=$$leftid; \
local=${LEFT_ADDR}; \
peer=${RIGHT_ADDR}; \
dstid="dstid $$rightid"; \
${SETUP_CONFIG}; \
side=right; \
srcid=$$rightid; \
local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; \
dstid="dstid $$leftid"; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-dstid-multi
run-dstid-multi:
flowtype=esp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
dstid="dstid $$rightid"; \
${SETUP_CONFIG}; \
side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
${SETUP_CONFIG}; \
dstid="dstid roflol"; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-srcid-multi
run-srcid-multi:
flowtype=esp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
dstid="dstid $$rightid"; \
${SETUP_CONFIG}; \
side=right; mode=passive; srcid="borked"; local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; dstid=""; \
${SETUP_CONFIG}; \
srcid=$$rightid; \
${SETUP_CONFIG}; \
srcid="roflol"; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-cert-multi-ca
run-cert-multi-ca:
flowtype=esp; \
leftid=left-from-ca-right; \
rightid=right-from-ca-left; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-cert-second-altname
run-cert-second-altname:
flowtype=esp; \
leftid=left-from-ca-both-alternative; \
rightid=right-from-ca-both@openbsd.org; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-invalid-ke
run-invalid-ke:
flowtype=esp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
dstid="dstid $$rightid"; \
ikesa="ikesa group ecp256 group curve25519"; \
${SETUP_CONFIG}; \
side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
ikesa="ikesa group curve25519"; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-psk-fail
run-psk-fail:
auth=psk; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
flowtype=esp; \
side=left; \
srcid=$$leftid; \
local=${LEFT_ADDR}; \
peer=${RIGHT_ADDR}; \
dstid="dstid $$rightid"; \
psk=`openssl rand -hex 20`; \
${SETUP_CONFIG}; \
side=right; \
srcid=$$rightid; \
local=${RIGHT_ADDR}; \
peer=${LEFT_ADDR}; \
dstid="dstid $$leftid"; \
psk=`openssl rand -hex 20`; \
${SETUP_CONFIG}; \
${DEPLOY_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
REGRESS_TARGETS += run-psk
run-psk:
auth=psk; \
leftid=left; \
rightid=right; \
flowtype=esp; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; \
if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; \
if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-intermediate-fail
run-intermediate-fail:
leftid=left-from-intermediate-from-ca-none; \
rightid=right-from-intermediate-from-ca-none; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
REGRESS_TARGETS += run-intermediate
run-intermediate:
intermediate=true; \
leftid=left-from-intermediate-from-ca-none; \
rightid=right-from-intermediate-from-ca-none; \
${SETUP_CONFIGS}
${SETUP_START}
if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-fragmentation
run-fragmentation:
flowtype=esp; \
fragmentation=true; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
flowtype=esp; ${TEST_FLOWS}; \
if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; \
if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-transport
run-transport:
flowtype=esp; \
tmode=transport; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
tmode=transport; flowtype=esp; \
${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-singleikesa
run-singleikesa:
flowtype=esp; \
singleikesa=true; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
${SETUP_START}
sleep 1; ${SETUP_RELOAD_RIGHT}; \
sleep 3; ${TEST_SINGLEIKESA}
REGRESS_TARGETS += run-ipcomp
run-ipcomp:
flowtype=ipcomp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}
sysctl="net.inet.ipcomp.enable=1"; \
${SETUP_SYSCTL}
${SETUP_START}
flowtype=ipcomp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
REGRESS_TARGETS += run-udpencap-port
run-udpencap-port:
flowtype=esp; \
leftid=left-from-ca-both; \
rightid=right-from-ca-both; \
${SETUP_CONFIGS}; \
sysctl="net.inet.esp.udpencap_port=9999"; \
${SETUP_SYSCTL};
iked_flags=-p9999; \
${SETUP_START};
flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
sysctl="net.inet.esp.udpencap_port=4500"; \
${SETUP_SYSCTL};
.include <bsd.regress.mk>